Privacy policy
This statement describes how Attire processes personal data in accordance with the EU General Data Protection Regulation (GDPR). The latest update of the statement can be found at the end of the page.
1. Data Controller
Kinttala Group
Business ID: 2933129-2
Address: Salonkyläntie 167, 21140 Rymättylä
Email: info@attire.fi
2. Contact person for data protection matters
Questions, requests, and notifications related to data protection: tietosuoja@attire.fi. We will respond within one business day on weekdays.
3. Personal data processed
The following data is processed in connection with the use of the service:
- User data: name, email, phone number, username, password stored as a hashed digest, last login, and language selection
- Company Information: company name, business ID, address, billing information, contact person
- Vehicle Information: registration number, VIN, technical details, odometer readings, ownership and location history
- Report Information: inspection, maintenance, and repair reports, photos attached to reports, comments and signatures
- Usage Logs: IP address, usage time, browser and device used, actions performed in the service
- Billing Information: Stripe customer ID, tokenized payment card details (Stripe), billing history
- Referral Program Information: when you arrive at Attire via a ?ref-link (e.g. QR code for PDF reports), we will store the referral code, IP address as a SHA-256 hash (not in plain text), browser identifier, and visit information. We use this data to allocate rewards related to referrals and to prevent abuse.
We do not process special categories of personal data as defined by data protection regulations (health data, race-related information, etc.).
4. Purpose and Legal Basis of Processing
- Fulfillment of Contract — providing the service according to the ordered package, authentication, billing, and customer support
- Legitimate Interest — service development, maintaining data security, preventing abuse, and anonymized usage analytics
- Consent — marketing communication about new features (only if requested separately, can be revoked at any time)
- Legal Obligation — storage of accounting materials in accordance with accounting law
5. Retention Period
- Active Order: during the validity of the order
- Trial Period not activated: 30 days after the end of the trial, after which the data will be automatically deleted
- Expired Order: 12 months from cancellation for reactivation, after which permanent deletion
- Usage Logs: 12 months
- Referral Program Click Data: 24 months (allows targeting of later registrations to the referrer). Accounting for referral rewards (amount of reward, identifier of the performer) is retained in accordance with accounting law.
- Referral Program Cookies: attire_ref 30 days, attire_did 12 months (browser-specific identification also works after cookie deletion)
- Evästesuostumus: attire_cookie_consent 12 kuukautta (tallentaa evästevalintasi). Google Analytics -evästeet (_ga, _ga_*) enintään 24 kuukautta, asetetaan vain suostumuksella
- Accounting Material (invoices, payment receipts, rewards): 10 years from the end of the financial year in accordance with accounting law
6. Data Sources
Data is primarily collected directly from the user during registration and use of the service. Additionally, public information about vehicles may be enriched through Traficom or a similar open interface at the user's request.
7. Recipients and Sub-processors
The following contractual partners process personal data on our behalf:
- Google Cloud — Google Ireland Limited; server capacity, database, and file storage in the EU area (europe-west3, Frankfurt)
- Stripe — Stripe Payments Europe Ltd. (Ireland) and Stripe Inc. (United States); payment processing and subscription billing
- Plausible Analytics — Plausible Insights OÜ (Estonia); anonymized visitor analytics without cookies
- Google Analytics — Google Ireland Limited; julkisen markkinointisivuston kävijäanalytiikka. Käytössä vain evästesuostumuksen antaneille kävijöille; ei käytössä kirjautuneessa sovelluksessa
- Email service provider — sending transaction messages (e.g., registration, notifications)
- Providers of accounting and auditing services as required by law
The data processing agreement (DPA) in accordance with Article 28 of the EU GDPR is available for business users — see DPA template.
8. Cookies and consent
Käytämme evästeitä ja vastaavia tekniikoita kahteen tarkoitukseen:
- Välttämättömät evästeet — kirjautuminen, istunnon ylläpito, CSRF-suojaus ja evästevalintasi muistaminen (attire_cookie_consent). Nämä eivät vaadi suostumusta, koska palvelu ei toimi ilman niitä.
- Analytiikkaevästeet (suostumuksella) — Google Analytics (_ga, _ga_*) kerää tilastoa siitä, miten julkista markkinointisivustoa käytetään, jotta voimme kehittää sitä. Nämä asetetaan vasta kun olet antanut suostumuksesi.
- Cookieless-analytiikka — Plausible Analytics mittaa kävijämääriä ilman evästeitä eikä tunnista yksittäistä kävijää, joten se ei vaadi suostumusta.
Kun saavut sivustolle, näytämme evästebannerin. Google Analytics -evästeitä ei aseteta eikä mitään analytiikkadataa kerätä ennen kuin valitset "Hyväksy kaikki" (Google Consent Mode v2, oletuksena estetty). Jos valitset "Vain välttämättömät", analytiikkaa ei oteta käyttöön.
Voit muuttaa tai peruuttaa suostumuksesi milloin tahansa sivun alatunnisteen "Evästeasetukset"-linkistä. Voit myös estää ja poistaa evästeet selaimesi asetuksista. Suostumuksen peruminen ei vaikuta ennen perumista tehdyn käsittelyn lainmukaisuuteen.
9. Transfers outside the EU
Stripe Inc.:n osalta osa maksuliikenteen tiedoista sekä Google Analyticsin osalta osa analytiikkatiedoista voidaan siirtää Yhdysvaltoihin palvelun suorittamiseksi. Siirrot tapahtuvat EU:n hyväksymien vakiosopimuslausekkeiden (SCC, Standard Contractual Clauses) nojalla. Muiden alikäsittelijöiden kanssa käsittely pidetään EU/ETA-alueella.
10. Rights of the data subject
The GDPR grants the data subject the following rights:
- Right to access personal data
- Right to rectify inaccurate or incomplete data
- Right to have data erased (right to be forgotten)
- Right to restrict processing
- Right to data portability in a machine-readable format
- Right to object to processing based on legitimate interest
- Right to withdraw consent at any time
- Right to lodge a complaint with the Data Protection Ombudsman (tietosuoja.fi)
Requests regarding rights should be addressed to tietosuoja@attire.fi. The processing time for requests is up to 30 days. To verify identity, we may ask for additional information.
11. Data Security
- Internet traffic is encrypted with the TLS 1.2+ protocol
- Passwords are stored only as one-way hashes
- Access control is based on roles and minimum privileges
- All significant changes are logged
- Production keys and secrets are stored in Google Secret Manager
- Regular backups are kept within the EU
12. Update History
Updated: 29.6.2026.
We will notify users of significant changes in the service or via email at least 30 days before they take effect.
This statement has been prepared to reflect the current state of the service. The final version, reviewed by a lawyer, will be updated to this address separately.