Privacy Policy | Serviceform

Six Privacy Commitments

Serviceform makes six concrete promises:

Data Hosting: Default hosting on Google Cloud Finland; EU customers can be configured so data never leaves Google Cloud Finland.
PII Redaction for AI: When AI features are enabled, the system automatically strips personal data (names, emails, phones, addresses, birth dates, IPs, SSNs, card numbers, medical information, geolocation) from end-user input before it reaches AI providers.
30-Day Response Guarantee: Privacy requests receive responses within 30 days, typically within five business days, at no charge.
Encryption and Security: TLS 1.2+ in transit, AES-256 at rest, role-based access, MFA for admins, continuous monitoring, and 72-hour breach notification aligned with GDPR Articles 33–34.
Opt-In Sub-processors: Every optional sub-processor can be excluded from configuration on request. Customers receive at least 30 days’ notice before adding new sub-processors they control.
Purpose-Limited Processing: Data is processed only for stated purposes—never for resale, data brokerage, or enriching third parties. No automated decisions with legal effects on individuals; no profiling for such purposes.

Who We Are

Serviceform Oy is a Finnish private limited company.

Registered Office: Linnaistentie 20 B, 01640 Vantaa, Finland
Business ID: 2713896-6
Operational Office: Yliopistonkatu 23 A, 2A, 20100 Turku
Data Protection Officer: Jarkko Oksanen
Locations: Finland, Sweden, Spain, and Sri Lanka

Group Structure

Serviceform Oy operates wholly-owned subsidiaries:

Serviceform Software Solutions SL (Spain) — sales, customer success, product engineering for Iberian/EMEA
Serviceform Sweden AB — Nordic sales, customer success, partnerships
Serviceform Private Limited (Sri Lanka) — product engineering, customer support, operations

All subsidiaries are bound by the same security and data-protection standards. Transfers to the Sri Lanka subsidiary occur under Standard Contractual Clauses with a Transfer Impact Assessment.

Our Role: Controller and Processor

Controller: Serviceform controls personal data about website visitors, prospects, leads, newsletter subscribers, customer administrators, contractors, applicants, employees, and vendor contacts.

Processor: When customers deploy Serviceform products on their own websites and apps, Serviceform acts as a processor on the customer’s behalf under a Data Processing Agreement incorporating Article 28 GDPR clauses and EU Standard Contractual Clauses where applicable.

Our Products and Apps

Mira Platform

Core SaaS including AI chat, lead capture, forms, booking flows, CDP, workflows, voice, and messaging. Hosted on Google Cloud Platform in Hamina, Finland (Cloud Run, Firestore, Firebase Realtime Database).

Embeddable Widgets and Pixel

Serviceform pixel (V2/V3) and embeddable widgets (chat, recommendations, lead forms, booking) that load on customer websites. The customer controls the resulting end-user data.

WordPress Plugin

Installs the Serviceform pixel on WordPress sites and provides optional REST APIs for product catalogue, cart, recommendations, and order synchronization. Order endpoints are disabled by default.

Shopify App

OAuth-based app that reads product, collection, and order data via Shopify Admin API. Implements mandatory privacy compliance webhooks: customers/data_request, customers/redact (within 30 days), and shop/redact (within 48 hours of uninstall).

Mobile Applications

Native and hybrid apps distributed via Apple App Store and Google Play Store for customers’ staff to manage their Serviceform tenant.

Customers may connect Gmail or Microsoft Outlook accounts to sync inbound/outbound email and calendar events. Access is used solely for customer-support email handling, ticketing, ATS, and calendar booking management—never for advertising, analytics, or profiling.

Google API Services Limited Use Disclosure

Serviceform’s use of information from Google APIs (Gmail, Google Calendar, Google Drive, identity APIs) adheres to the Google API Services User Data Policy including Limited Use requirements. Data is not transferred to third parties except to provide prominent user-facing features, comply with law, or as part of a merger/acquisition with notice. Data is not used for advertisements and is not read by humans unless with affirmative agreement, for security, legal compliance, or aggregated/anonymized internal operations.

Meta Platform Terms Limited Use Disclosure

When customers connect Meta business accounts (Facebook Pages, Instagram, WhatsApp Business) to the Social Inbox, use adheres to Meta Platform Terms and WhatsApp terms. Information is used solely to deliver enabled messaging, lead-routing, and audience features. Meta data is not used to train AI models, sold for unrelated purposes, or used for identity-graph profiling. Facebook Login receives only requested public-profile and email scopes; friend lists and sensitive scopes are not requested by default.

Apple App Store and iOS Disclosures

Privacy Nutrition Labels in App Store Connect match policy categories.
The app does not use IDFA and does not perform cross-app or cross-website tracking; no ATT prompt appears.
A Privacy Manifest file (PrivacyInfo.xcprivacy) declares data types, tracking domains (none), and approved Apple Required Reason APIs.
Compliance with Apple App Store Review Guidelines and Developer Program License Agreement §5.1 and §5.6.
“Sign in with Apple” respects the hide-my-email relay choice.

Google Play and Android Disclosures

Data types in Google Play Console Data Safety form match policy categories.
All data in transit uses TLS 1.2+.
The app does not request sensitive permissions (SMS, Call Log, Accessibility, All Files Access, background location) without documented use cases.
Compliance with Google Play Developer Program Policies.

Account and Data-Deletion Request Mechanism

Users may request deletion of their Serviceform account and associated personal data at any time.

By Email: Write to asiakaspalvelu(at)serviceform.com with subject “Delete my account” or “Delete my data” from the registered email address. Identity verification may be required. Verified requests are actioned within 30 days, except where retention is required by Finnish accounting law (Kirjanpitolaki 1336/1997), tax law, AML legislation, or legal defense, in which case records are isolated and deleted at the end of the statutory retention period.

From Meta-Connected Account: If signed up via Facebook Login, send the same email to remove Meta-provided data.

Information We Collect

Data Categories

Contact Details: Real name, email, postal address, telephone, social-media username, title.
Financial Data: Credit-card last four digits, expiry date, bank-account number, billing address, transaction reference, VAT number. Full card numbers are processed by Stripe and never stored.
Identifiers and Legal Documents: Public health number, passport, proof of residence, right-to-work status, visa status, SSN, driver’s licence, national ID, signature.
Personal Characteristics: Sex, nationality, date of birth, gender, academic qualifications, age.
Location Data: Approximate location from IP, tracking data (consent-based).
Communications Data: Instant-messaging content, social-media posts, postal correspondence.
Views and Opinions: Survey responses, testimonials, references, non-political/religious/philosophical opinions.
Work-related Data: Employer, occupation, completed tasks, grievance/disciplinary details, CV.
Technical Identifiers: IP address, MAC address, usernames, hashed passwords, browser data, device identifiers, unique identifiers.
Activity and Behavioural Data: Feature usage, page views, click events, audit-log records.
Aggregated Data: Statistical or demographic data that does not identify you. If combined with personal data so it identifies you, it is treated as personal data.

Special Categories

Serviceform does not intentionally collect special-category data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic, biometric, health data, sex life, sexual orientation, criminal-offence data). Users should not submit such data through forms or chats.

When acting as a processor on behalf of a customer, handling of special-category data follows the customer’s lawful instructions and Article 9 GDPR conditions—typically Article 9(2)(a) (explicit consent), Article 9(2)(b) (employment/social-security/social-protection law), or Article 9(2)(h) (preventive/occupational medicine). The customer must identify the applicable Article 9 ground in the DPA before processing. Staff and contractor data additionally rely on the Finnish Act on the Protection of Privacy in Working Life (759/2004) and equivalent national laws.

Legal Bases for Processing

Under Article 6 GDPR—as supplemented by Finnish Data Protection Act (Tietosuojalaki, 1050/2018)—and national laws of Sweden, Spain, Portugal, Italy, UK GDPR, and Sri Lanka’s Personal Data Protection Act No. 9 of 2022, Serviceform relies on:

Consent (Art. 6(1)(a)): You have given clear consent for a specific purpose (e.g., non-essential cookies, marketing emails). Consent may be withdrawn anytime.
Contractual Necessity (Art. 6(1)(b)): Processing is necessary to perform a contract or take pre-contractual steps you requested.
Legitimate Interests (Art. 6(1)(f)): Processing is necessary for a business or commercial reason, balanced against your rights and interests.
Legal Obligation (Art. 6(1)(c)): Processing is necessary to comply with statutory duties, including the Finnish Accounting Act (Kirjanpitolaki, 1336/1997), Finnish tax law, and AML legislation.
Vital Interests and Public Interest are not generally relied upon.

Direct marketing to existing business customers about similar products operates under soft opt-in permitted by §200 of the Finnish Act on Electronic Communications Services (Sähköisen viestinnän palveluista annettu laki, 917/2014). Marketing to prospects requires prior consent under §200(1). Cookies and similar tracking require consent under §205.

Website Visitors and Newsletter Subscribers: Provision is voluntary. Consequence of not providing: we cannot send requested content or contact you.
Customer Account Holders: Account, billing, contact, and authentication data are contractual requirements. Without them, services cannot be delivered.
Leads and Prospects: Provision is voluntary. Consequence: we cannot follow up on your interest.
Staff and Contractors: Certain data (identity, tax, social-security, payroll, AML) are required by Finnish, Swedish, Spanish, and Sri Lankan law. Without them, employment or contractor relationships cannot be entered or maintained.

How We Process Personal Data of Our Customers

Purpose	Data Categories	Legal Basis
Accounts Receivable	Contact Details, Financial Data	Contractual Obligations
Authenticating Users	Contact Details, Technical Identifiers	Contractual Obligations
B2B Email/Text Digital Marketing (existing customers)	Contact Details, Personal Characteristics, Views and Opinions	Soft opt-in §200 Finnish Information Society Code + Art. 6(1)(f) GDPR. Opt-out in every message.
Customer Relationship Management (CRM)	Activity and Behavioural, Contact Details, Personal Characteristics	Legitimate Interest
Customer Support	Contact Details, Personal Characteristics, Views and Opinions, Communications Data	Legitimate Interest
Digitally Signing Documents	Contact Details, Technical Identifiers	Contractual Obligations
Error & Log Management	Technical Identifiers, Activity and Behavioural	Legitimate Interest
Fraud Prevention	Contact Details, Financial Data, Location Data, Technical Identifiers	Legitimate Interest / Legal Obligation
Hosting, Infrastructure, Integrations and File Storage	Contact Details, Personal Characteristics, Content uploaded to the platform	Contractual Obligations
Onboarding & Product Demos	Activity and Behavioural, Contact Details, Views and Opinions	Contractual Obligations / Legitimate Interest
Publishing apps to the Apple App Store	Activity and Behavioural, Technical Identifiers	Contractual Obligations
Publishing apps to the Google Play Store	Activity and Behavioural, Technical Identifiers	Contractual Obligations
Targeted Advertising (excluding Social Inbox Gmail Sync)	Activity and Behavioural, Contact Details, Location Data, Personal Characteristics	Consent (Art. 6(1)(a) GDPR) and §205 Finnish Information Society Code. No legitimate-interest fallback.
Transactional Emails (service notifications, receipts, security alerts)	Contact Details	Contractual Obligations / Legitimate Interest
Website and Web-app Analytics & Tracking	Activity and Behavioural, Technical Identifiers	Consent
AI features in our products (chat, summarisation, classification)	Content of conversations and prompts strictly limited to the configured use	Contractual Obligations (instructed by Customer)

When Acting as a Processor: Processing occurs only on documented instructions from customers, who serve as data controllers. For additional insights, customers may request access to the Data Processing Agreement or refer to the customer’s privacy policy.

How We Process Personal Data of Our Customers’ End-users

When Acting as a Processor: Processing occurs based on explicit directives from customers, who serve as data controllers. In this capacity, Serviceform may handle special-category data pertaining to a customer’s users. Such processing strictly adheres to permissions and exemptions established by the customer as data controller. End-users seeking to exercise rights should contact the customer directly. Additional insights are available in the DPA or the customer’s privacy policy.

How We Process Personal Data of Our Leads

Purpose	Data Categories	Legal Basis
B2B Email/Text Digital Marketing (prospective customers)	Contact Details, Personal Characteristics, Views and Opinions	Consent
Customer Relationship Management (CRM)	Activity and Behavioural, Contact Details, Personal Characteristics	Legitimate Interest
Hosting, Infrastructure, Integrations and File Storage	Contact Details, Personal Characteristics	Legitimate Interest
Onboarding & Product Demos	Activity and Behavioural, Contact Details, Views and Opinions	Legitimate Interest
Prospecting	Contact Details, Work-related Data	Legitimate Interest
Targeted Advertising (excluding Social Inbox Gmail Sync)	Activity and Behavioural, Contact Details, Location Data, Personal Characteristics	Consent (Art. 6(1)(a) GDPR) and §205 Finnish Information Society Code.
Website and Web-app Analytics & Tracking	Activity and Behavioural, Technical Identifiers	Consent

Purpose	Data Categories	Legal Basis
Sending newsletters and product updates	Contact Details	Consent

How We Process Personal Data of Our Website Visitors

Purpose	Data Categories	Legal Basis
Tag Management	Activity and Behavioural, Technical Identifiers	Consent / Legitimate Interest
Targeted Advertising (excluding Social Inbox Gmail Sync)	Activity and Behavioural, Contact Details, Location Data, Personal Characteristics	Consent (Art. 6(1)(a) GDPR) and §205 Finnish Information Society Code.
Website Hosting and Delivery	Contact Details, Technical Identifiers	Legitimate Interest
Website Tracking and Analytics	Activity and Behavioural, Technical Identifiers	Consent
Security, Abuse Prevention and Bot Mitigation	Technical Identifiers, IP address	Legitimate Interest

How We Process Personal Data of Our Contractors

Purpose	Data Categories	Legal Basis
Accounts Payable	Contact Details, Financial Data	Contractual Obligations
Digitally Signing Documents	Contact Details, Technical Identifiers	Contractual Obligations
Communication and Project Coordination	Contact Details, Communications Data	Contractual Obligations

How We Process Personal Data of Our Staff

Purpose	Data Categories	Legal Basis
Digitally Signing Documents	Contact Details, Technical Identifiers	Contractual Obligations
Hosting, Infrastructure, Integrations and File Storage	Contact Details, Financial Data, Identifiers and Legal Documents, Personal Characteristics, Work-related Data	Legitimate Interest / Contractual Obligations
Internal Communication	Communications Data, Contact Details	Legitimate Interest
Payroll – Finland	Contact Details, Financial Data, Identifiers and Legal Documents	Contractual Obligations / Legal Obligation
Payroll – Spain	Contact Details, Financial Data, Identifiers and Legal Documents	Contractual Obligations / Legal Obligation
Payroll – Sweden	Contact Details, Financial Data, Identifiers and Legal Documents	Contractual Obligations / Legal Obligation
Payroll – Sri Lanka	Contact Details, Financial Data, Identifiers and Legal Documents	Contractual Obligations / Legal Obligation
Social Media Management & Scheduling	Contact Details	Legitimate Interest
Recruitment and HR Records	Contact Details, Identifiers and Legal Documents, Work-related Data, Personal Characteristics	Pre-contract / Legitimate Interest / Consent where required

For Finnish staff, the Finnish Act on the Protection of Privacy in Working Life (Laki yksityisyyden suojasta työelämässä, 759/2004) limits collection to data directly necessary for the employment relationship. Equivalent protections apply in Sweden, Spain, and Sri Lanka.

How Your Personal Data Is Collected

Personal data is collected through:

Direct Interactions: You provide contact, identity, financial, and other information by filling forms, or corresponding by post, phone, email, website, or applications.
Automated Technologies: As you interact with the website and services, technical, profile, usage, and activity data is automatically collected through cookies, server logs, error reporting, and similar technologies.
Third Parties or Publicly Available Sources: Data may be received from CRM enrichment providers, recruitment platforms, professional networks (e.g., LinkedIn), business registries, identity providers (Google, Microsoft), and authorized partners.

Source	Categories Obtained	Publicly Accessible?
LinkedIn (public profiles, Sales Navigator)	Identity, contact, employment-history, professional data	Partly—public LinkedIn profiles are publicly accessible
Business registries (PRH, Bolagsverket, AEPD records)	Company contact details, business identifiers	Yes
B2B enrichment / lead-intelligence providers (Leadfeeder / Dealfront, Reply.io)	Identity, contact, work-related data, technical identifiers	Generally based on publicly available business data
Identity providers (Google, Microsoft, Facebook, Apple) when SSO is used	Name, email, profile photo, identity-provider user ID	No
Customer-authorised integrations (e.g., Customer’s own CRM, ecommerce platform)	Categories defined by the integration and the Customer’s configuration	No
Advertising and analytics platforms (Meta, Google, LinkedIn, X)	Aggregated and pseudonymised audience data; conversion events (consent-based)	No

Where personal data about you is obtained from a source other than yourself, notice is provided within one month of obtaining the data, or at the latest at the time of first communication, per Article 14(3) GDPR. You have the right to object to processing based on legitimate interests, including enrichment-data processing.

Third Parties and Sub-processors

Personal data is shared only when necessary and only with recipients bound by confidentiality and data-protection obligations. The sub-processor model is structured in two parts:

Part A — What We Provide to Our Customers: Sub-processors that may process customer data on customers’ behalf. Within Part A, one sub-processor is engaged for every customer (the “core” row, Google Cloud Finland). All other Part A sub-processors are optional—engaged only when the customer enables a feature, integration, or configuration choice requiring them. Customers may request a configuration excluding any optional sub-processor.
Part B — What Serviceform Uses for Its Own Operations: Service providers Serviceform engages for its own business (billing, accounting, payroll, sales, marketing, internal productivity). These do not process customer end-user data; where they process personal data of website visitors, prospects, employees, or vendor contacts, Serviceform Oy is the controller.

The full structured list—with each sub-processor’s activation trigger and data residency—is maintained at serviceform.com/subprocessors and is updated with at least 30 days’ notice for material additions. All sub-processors handling personal data implement encryption in transit (TLS 1.2+) and encryption at rest for primary stores. Serviceform does not sell personal data and does not share it for cross-context behavioural advertising under the California Consumer Privacy Act.

Customer-Authorised Integration Destinations

Customers can configure Serviceform to forward data to third-party systems they operate (CRM, marketing automation, ecommerce, ticketing, shipping, analytics). When a customer connects such an integration, data flows from Serviceform to that destination using customer-supplied credentials, and the receiving system becomes a separate controller (or the customer’s processor) under its own privacy policy. Common destinations include HubSpot, Salesforce, Microsoft Dynamics 365, Pipedrive, Klaviyo, Mailchimp, Brevo, ActiveCampaign, LianaMailer, Linear, Shopify, WooCommerce/WordPress, Shipit, DHL, Matkahuolto, WhatsApp Business, and Meta/Google ad platforms. Serviceform is not responsible for those destinations’ privacy practices beyond the act of transmission instructed by the customer.

Shopify Protected Customer Data and Compliance Webhooks

The Serviceform Shopify app is registered with Shopify’s Protected Customer Data programme and processes Level 1 protected customer data (name, email, address) only as needed to provide enabled features. Mandatory privacy compliance webhooks are honoured within required timeframes: customers/data_request (surface to the merchant any data relating to the customer), customers/redact (delete identified customer data within 30 days), and shop/redact (delete merchant configuration, sessions, and retained data when issued 48 hours after uninstall).

International Transfers and EU Data Residency

EU Data Residency Commitment for European Customers

For customers based in the European Economic Area, United Kingdom, or Switzerland, the Serviceform platform operates on the principle that data should stay in Europe. By default, the only sub-processor engaged in processing customer data is Google Cloud / Firebase hosted in Hamina, Finland (Cloud Run with managed Postgres database, Firestore, Firebase Realtime Database, Firebase Authentication, Cloud Storage), meaning EU customers’ primary platform data—chat conversations, contacts, leads, CDP records, tenant configuration, authentication credentials—is stored and processed inside Finland.

Additional EU-hosted sub-processors are engaged only when the customer enables a feature or configuration requiring them—for example, Elastic Cloud (Finland/Germany) for search and analytics, ClickHouse Cloud (EEA) and Google BigQuery (EU multi-region) for analytics, and Typesense (EEA) for search indexing. These remain inside the EEA.

Data may leave Europe only when (i) the customer enables an optional feature or integration whose provider operates outside the EEA—for example, AI inference (OpenAI Ireland Ltd contracting, US compute), Twilio for voice/SMS, Meta-platform messaging, or Zapier-based forwarding; or (ii) the customer instructs forwarding to an integration destination they own outside Europe. The full mapping of which sub-processor is engaged when, and where each is located, is at /subprocessors.

Transfer Safeguards

Whenever personal data is transferred out of the EEA, United Kingdom, or Switzerland, similar protection is ensured by implementing at least one of these safeguards:

The destination country has been deemed by the European Commission, UK ICO, or competent authority to provide adequate protection—for example, the United Kingdom (EU–UK Adequacy Decision) and Japan, Switzerland, Republic of Korea, and others.
Appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses (Decision 2021/914), UK International Data Transfer Agreement, or UK Addendum are used, supplemented by technical and organisational measures (encryption, pseudonymisation, strict access controls).
The EU–US Data Privacy Framework is relied upon where the recipient is certified.
For transfers to third countries without adequacy decisions—notably the Sri Lanka subsidiary and certain US subprocessors—documented Transfer Impact Assessments are conducted before transfer, and additional safeguards are applied where assessments indicate they are needed.

Copies of safeguards are available on request from asiakaspalvelu(at)serviceform.com.

Data Security

Appropriate security measures are in place to prevent personal data from being accidentally lost, used or accessed unauthorisedly, altered, or disclosed. Access to personal data is limited to employees, agents, contractors, and third parties with a business need to know; they process it only on instructions and are subject to confidentiality duties.

The information-security programme aligns with ISO/IEC 27001 principles and includes:

TLS 1.2+ encryption in transit and AES-256 encryption at rest for primary data stores.
Role-based access control with least-privilege defaults; multi-factor authentication for administrators.
Network segmentation, web application firewall, DDoS protection.
Continuous logging, monitoring, and intrusion detection.
Secure software development lifecycle, dependency scanning, and periodic penetration testing.
Vendor risk assessments and contractual data-protection terms.
Incident-response procedures meeting GDPR Articles 33–34, including notification to the Office of the Data Protection Ombudsman of Finland within 72 hours where required, and notification to affected individuals where there is high risk to their rights and freedoms. When acting as processor on behalf of a customer, the affected customer (controller) is notified without undue delay and in any event within 48 hours of becoming aware, per Article 33(2) GDPR and the DPA.
Confidentiality obligations and security training for personnel.

Where you have chosen a password enabling access to certain parts of applications, you are responsible for keeping that password confidential. Do not share your password with anyone. If you believe your account has been compromised, contact security(at)serviceform.com immediately. No service can be guaranteed to be 100% secure.

Trust Documentation

DPA, list of subprocessors, security overview, Transfer Impact Assessment summaries, and breach-notification procedure are available to customers on request. Write to asiakaspalvelu(at)serviceform.com with your organisation name and the document you would like to receive.

Data Retention

Personal data is retained only as long as reasonably necessary to fulfil the purposes for which it was collected, including any legal, regulatory, tax, accounting, or reporting requirements. Data may be retained longer in the event of a complaint or where there is a reasonable prospect of litigation. Where Serviceform acts as a data processor, retention periods are set by the customer (data controller) per their policies and regulatory requirements.

Category	Retention
Lead and live-chat data (processed for Customers)	2 years from creation (configurable shorter on Customer request); deleted automatically thereafter
Customer account and billing records	Duration of contract + 6 years (Finnish Accounting Act, Kirjanpitolaki 1336/1997)
Personal data after termination of the Service Agreement	Returned or deleted at the Customer’s discretion; default retention is 6 months unless otherwise agreed
Anonymised statistical data	Retained for the duration defined by the Customer; no longer associable with any identifiable data subject
Marketing prospect data	Until you unsubscribe or 24 months of inactivity, whichever is sooner
Cookies and online identifiers	Per cookie; max 13 months for analytics cookies
Support tickets and correspondence	3 years from closure
Recruitment data (unsuccessful applicants)	12 months from decision (longer with consent)
Employee records	Duration of employment + 10 years (statutory periods under Finnish, Spanish, Swedish and Sri Lankan labour and tax law)
System logs and security telemetry	12 months
Backups	Up to 35 days, then overwritten

After the retention period, data is deleted or irreversibly anonymised unless statutory retention is required.

Automated Decision-Making and AI

Some Serviceform products are AI-powered, using machine learning and large language models to power chatbots, classify intents, route requests, and generate responses. Serviceform does not use personal data to make decisions producing legal or similarly significant effects on you without human involvement (Article 22 GDPR), nor does it engage in profiling producing such effects.

AI Features Are Opt-In Per Customer

AI features (e.g., an AI bot answering customer inquiries on a website or via WhatsApp) are enabled only for customers who specifically contract them. Customers who have not subscribed to AI features have no end-user data forwarded to any AI provider.

Automatic PII Redaction Before AI Processing

When a customer enables AI services, the system automatically removes personal data from end-user input before forwarding it to OpenAI Ireland Ltd or Google AI/Gemini for inference. Default redaction categories include:

Names (first and last)
Email addresses
Phone numbers
Postal addresses
Birth dates
IPv4/IPv6 addresses
Customer IDs and order numbers
Social-security and national-insurance numbers
Credit-card numbers
Bank-account numbers
Medical information
Geolocation (lat/long) data

The redaction process is regularly reviewed and pattern-matching is continuously updated as new data types and privacy regulations emerge. Customers may request additional redaction categories. Even though an AI provider participates in answering the end-user’s question, the underlying model never receives identifiable personal data.

No Training on Your Data

Serviceform does not use customer end-user conversations to train Serviceform models, and contractually requires AI providers to do the same on the API plans used:

OpenAI: The contracting entity for EEA processing is OpenAI Ireland Ltd, acting as data processor under a signed Data Processing Addendum dated 11 November 2024 incorporating Module 2 and Module 3 of the EU Standard Contractual Clauses and the UK Addendum. OpenAI does not use API request or response data to train or improve models, retains API Customer Data for a maximum of 30 days for abuse-monitoring before deletion, and notifies at least 15 days in advance of any sub-processor changes (relayed to customers).
Google (Gemini API / Vertex AI): Operates under enterprise API terms barring model-training use of Customer Data, with regional EEA processing where available.

When you use a Serviceform-powered chatbot or AI assistant on a customer’s website, the customer determines configuration; Serviceform provides the underlying technology as a processor under its DPA.

Your Legal Rights

You have the right to:

Request access (a “data subject access request”) to receive a copy of personal data held about you and check that it is being lawfully processed.
Request correction of incomplete or inaccurate data held about you. Identity verification may be required.
Request erasure of personal data where there is no good reason to continue processing it. Compliance may not always be possible for specific legal reasons, which will be explained.
Object to processing based on legitimate interests where your particular situation makes you want to object on this ground. You also have the right to object at any time to direct-marketing processing, which will always be honoured.
Request restriction of processing where you contest accuracy, where use is unlawful but you do not want erasure, where you need data to establish/exercise/defend legal claims, or while verification of overriding legitimate grounds occurs.
Request data portability—receive certain data in a structured, commonly used, machine-readable format and have it transmitted to another controller. This applies only to information you initially provided consent for or where information was used to perform a contract with you.
Withdraw consent at any time where consent is the basis for processing. Withdrawal does not affect the lawfulness of processing before withdrawal.
Not be subject to solely automated decisions producing legal or similarly significant effects.
Lodge a complaint with a supervisory authority (see below).

No fee is charged to access personal data or exercise other rights. A reasonable fee may be charged, or compliance refused, if your request is clearly unfounded, repetitive, or excessive. Specific information may be requested to confirm identity.

Service-Level Commitment

“We respond to every legitimate data-subject request within 30 days as required by Article 12(3) GDPR, and most requests are answered within five business days.” The 30-day clock can be extended by up to two further months for genuinely complex requests, in which case you will be told within the first month why and kept updated.

Supervisory Authorities

The lead supervisory authority is the Office of the Data Protection Ombudsman of Finland (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, tietosuoja.fi. You may also lodge a complaint with the authority where you live or where the alleged breach occurred—for example AEPD (Spain), IMY (Sweden), CNPD (Portugal), Garante (Italy), or the ICO (United Kingdom, ico.org.uk).

Sri Lanka Residents

Under the Sri Lanka Personal Data Protection Act No. 9 of 2022, you have analogous rights of access, rectification, erasure, withdrawal of consent, objection to direct-marketing processing, and review of solely automated decisions. You may lodge a complaint with the Data Protection Authority of Sri Lanka.

Notice for California Residents (CCPA / CPRA)

This Notice at Collection is provided in addition to the rights described above to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

Categories of Personal Information We Collect

CCPA §1798.140 categories: identifiers (name, email, IP, device identifiers); commercial information (purchase history, billing); internet or other electronic network activity (browsing, interactions with tools); geolocation (approximate, from IP); audio, electronic, visual or similar information (when customers connect voice or chat features); professional or employment-related information (for B2B leads and customer staff); inferences (segments from interactions). For staff and applicants only: Sensitive PI (Cal. Civ. Code §1798.140(ae))—government identifiers, account login credentials, precise geolocation where strictly necessary, contents of mail/email/text messages, and limited health-information categories may be processed where the customer has instructed it as controller and a lawful basis exists.

Sources of Personal Information

Directly from you (forms, chats, account creation); automatically (cookies, server logs); from your employer or organisation (when added to a customer’s tenant); from third parties (LinkedIn, business registries, enrichment providers, identity providers, advertising platforms, connected integrations).

Business or Commercial Purposes

Providing and securing the Services; fulfilling contract with you; customer support; quality assurance; preventing fraud and abuse; analytics; advertising and remarketing (consent-based); legal compliance and defence of claims.

Categories Disclosed for a Business Purpose (Past 12 Months)

Identifiers, commercial information, internet activity, geolocation, professional information—disclosed only to sub-processors listed at /subprocessors, each bound by data-protection terms.

We do not “sell” personal information and do not “share” personal information for cross-context behavioural advertising under the CCPA. We have not sold or shared personal information of consumers (including minors under 16) in the past 12 months.

Retention of Each Category

Per the retention table in Section 17. Each category is retained for the period reasonably necessary to fulfil the disclosed purpose, plus any statutory retention period.

Your CCPA Rights

Right to know, access, correct, delete, port, opt out of sale/sharing, limit use of sensitive PI, opt out of certain profiling, and not to be discriminated against for exercising your rights. Authorised agents may submit requests on your behalf with proof of authority (signed permission, power of attorney) and identity verification.

How to Exercise Your CCPA Rights

Email asiakaspalvelu(at)serviceform.com with subject “California privacy request” or write to the registered office. Global Privacy Control (GPC) browser signals are honoured as a valid opt-out of sale and sharing request where applicable. Response within 45 days, extendable by an additional 45 days for complex requests.

Shine the Light

(Cal. Civ. Code §1798.83): California residents may request information about disclosures of personal information to third parties for their direct-marketing purposes. Serviceform does not currently make such disclosures, but will respond to a written Shine the Light request sent to the registered office.

Other US States

Residents of states with comprehensive privacy laws—Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), Delaware (DPDPA), Montana (MTCDPA), New Hampshire (NHPA), New Jersey (NJDPA), Iowa (IADPA), Maryland (MDPA)—and the Washington My Health My Data Act and Florida Digital Bill of Rights where applicable, have analogous rights to access, correct, delete, port, and opt out of sale, targeted advertising, and profiling. To exercise these rights, use the email above; GPC signals are honoured where applicable and responses follow the timeframe required by relevant state law.

Other Jurisdictions

For residents of jurisdictions not listed above—including Canada (PIPEDA and the Quebec Act respecting the protection of personal information in the private sector / Law 25), Brazil (LGPD), Australia (Privacy Act), India (DPDP Act 2023), Japan (APPI), South Korea (PIPA), and Switzerland (revFADP)—substantive rights of access, rectification, deletion, withdrawal of consent, objection to direct marketing, and complaint to the local authority are honoured on the same email channel. A Quebec Person in Charge of Personal Information can be reached at the same email; for now this role is held by Privacy Lead, Jarkko Oksanen.

To exercise any right, email asiakaspalvelu(at)serviceform.com or write to the registered office.

Children

The website and services are not directed to children under 16, the digital-consent age set in §5 of the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and Serviceform does not knowingly collect personal data from children. Where a customer deploys products in a context where users under 16 may interact with them (e.g., a chatbot on a youth-services website), the customer remains the controller and is responsible for obtaining verifiable parental consent under Article 8 GDPR. On request, Serviceform offers a minor-blocking configuration that flags input appearing to originate from a minor and immediately deletes it without forwarding to AI providers or storing it as a lead. Contact the privacy email above to enable it.

For US customers subject to the Children’s Online Privacy Protection Act (COPPA), parental notice and verifiable consent obligations sit with the customer-controller; Serviceform supports customers in meeting them.

If you believe a child has provided personal data, please contact asiakaspalvelu(at)serviceform.com and we will delete it.

Third-Party Links

This website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Serviceform does not control those third-party websites and is not responsible for their privacy statements. When you leave this website, you are encouraged to read the privacy policy of every website you visit.

Changes to This Policy

This Privacy Policy may be updated from time to time. Material changes will be communicated by email—where Serviceform has your address and the change affects you—or by a prominent notice on the website at least 30 days before the change takes effect. The “Last updated” date at the top reflects the latest revision.

Version History

Date	What Changed
27 April 2026	Full rewrite. Replaced hosted iframe with inline policy. Added Y-tunnus, group structure with wholly-owned subsidiaries, Finnish-law citations (Tietosuojalaki, ECS Act §200/§205, Kirjanpitolaki, Working Life Act). Added Mira platform, WP/WooCommerce plugin, Shopify app, Social Inbox / Gmail-Outlook sync (Google Limited Use), Meta Platform Limited Use, Apple App Store and iOS disclosures, Google Play and Android disclosures, account-deletion mechanism. Restructured sub-processors into core / optional / internal. Added California (CCPA / CPRA) Notice at Collection, other US-state rights, Sri Lanka PDPA, Quebec Law 25 representative, PIPEDA / LGPD / DPDPA / APPI / revFADP. Added Article 13(2)(e) statutory/contractual disclosure, Article 14(2)(f) source mapping, Article 9 grounds, 48-hour processor breach SLA, version log.

Date

What Changed

27 April 2026

Full rewrite. Replaced hosted iframe with inline policy. Added Y-tunnus, group structure with wholly-owned subsidiaries, Finnish-law citations (Tietosuojalaki, ECS Act §200/§205, Kirjanpitolaki, Working Life Act). Added Mira platform, WP/WooCommerce plugin, Shopify app, Social Inbox / Gmail-Outlook sync (Google Limited Use), Meta Platform Limited Use, Apple App Store and iOS disclosures, Google Play and Android disclosures, account-deletion mechanism. Restructured sub-processors into core / optional / internal. Added California (CCPA / CPRA) Notice at Collection, other US-state rights, Sri Lanka PDPA, Quebec Law 25 representative, PIPEDA / LGPD / DPDPA / APPI / revFADP. Added Article 13(2)(e) statutory/contractual disclosure, Article 14(2)(f) source mapping, Article 9 grounds, 48-hour processor breach SLA, version log.

Contact Us

Privacy Enquiries / Data-Subject Requests: asiakaspalvelu(at)serviceform.com
Security Incidents: security(at)serviceform.com
General: help(at)serviceform.com · +358 45 7836 1590
Postal: Serviceform Oy (Y-tunnus 2713896-6), Linnaistentie 20 B, 01640 Vantaa, Finland

Cookies

Use of cookies and similar technologies, the four cookie categories (strictly necessary, functionality, analytical, targeting), the specific third-party cookies in use, and available controls are set out in the Cookie Notice (/cookies). You can change or withdraw consent anytime using the “Cookie settings” control in the footer (powered by Usercentrics).