PRIVACY POLICY – Lentävä liitutaulu Oy

Updated on March 31, 2023

1. Introduction

This Privacy Policy describes the principles according to which Lentävä liitutaulu Oy (hereinafter referred also as " Seppo" or " we") as a data controller collects and processes personal data relating to:

a) SEPPO users (Section 4.1 below),
b) customers and business partners (Section 4.2 below),
c) marketing (Section 4.3 below),
d) employees (Section 4.4 below), and
e) job applicants (Section 4.5 below), as well as
f) on legal grounds and for legal purposes (Section 4.6 below).

Personal information is any information related to an identified or identifiable person, such as a name, email address or photograph.

2. Controller and contact details for privacy questions

Lentävä liitutaulu Oy
Business ID: 2500405-9
Päivöläntie 52
00730 Helsinki
FINLAND
www.seppo.io
Email: info@seppo.io

Please use the above contact details, if you have any questions regarding privacy matters. Our contact person in privacy matters is Tero Kulha.

3. Seppo as a data processor

By offering the Seppo online platform, we may also operate in the role of a data processor to an organization, person or entity who uses our service as a SEPPO platform customer. The purposes and principles of personal data processing are determined in these situations in the agreement Seppo has concluded with the customer. Seppo may not process such data for any purposes other than for the benefit of the customer in question and in accordance with the customer's instructions. The principles of how Seppo's customers process personal data is described in their own privacy policies.

4. What personal data we process, for what purpose, what is the legal basis for the processing and the applicable data retention period

We collect, store and process personal data only for predefined purposes and only on legal grounds. We process personal data mainly for the following purposes and on the following grounds:

4.1 SEPPO users

Purpose

Provision of digital and onlinebased software and services, i.e. the SEPPO platform

Description of the processing

In connection with the provision of digital and online-based services, personal data relating to SEPPO platform users is processed, for example, for (1) concluding a user agreement and accepting the terms of use, (2) creating a user account, (3) identifying the user during use of the service, (4) providing support and communicating with the users, and (5) operating the SEPPO webshop.

Processed personal data

Game developers:
  • Email address*
  • Password*
  • Name
  • Phone number
  • Game content developed by the game developer
Player accounts:
  • Email address*
  • Password*
Customers who purchase licenses:
  • Name of the organization*
  • Email address*
  • Details for invoicing*
  • Number of licenses*
*mandatory data

Legal basis:

Agreement. This processing of personal data is necessary for the creation of a contract and the execution of the concluded contract, such as a user agreement.

Legitimate interest.The aforementioned purpose is also in accordance with our legitimate interest related to the provision of our digital and other online-based services, and we consider that based on the relationship or your position between you and our company, it is also processing that you can reasonably expect in connection with the provision of the service and which does not conflict with your fundamental rights and freedoms.

Data retention period:

User data is typically stored for the duration of the license plus 6 months. We do not store personal data for longer than is necessary for the purpose of their use or as required by contract or law. Personal data can also be deleted in the situation when the data subject withdraws his/her consent or requests the deletion of his/her data (and there is no other legal basis for the processing).

4.2 Customers and business partners (incl. potential)

Purpose

Creating and maintaining customer and business relationships

Description of the processing

We process personal data in various functions to conclude and execute business-to-business contracts, such as contracts of sale, license and user agreements, subcontracting agreements and other partnership agreements.

During the customer or business relationship, we process personal data for usual purposes, for example to provide services, customary correspondence and communication, invoicing, payments and debt collection and to handle feedback and technical problems.

Processed personal data

  • Name*
  • Name of the company/employer*
  • Job title
  • Email address*
  • Phone number*
  • Company address information*
  • Contract details*
  • Business segment
  • Concluded deals, purchased products/services and invoicing details
  • Customary business correspondence
*mandatory data

Legal basis:

Agreement. This processing of personal data is necessary for concluding a contract and the execution of the concluded contract.

Legitimate interest. The above-mentioned purpose is in accordance with our legitimate interest in managing the business relationship, and we consider that based on the relationship or your position between you and our company, it is also a matter of processing that you can reasonably expect in the usual maintenance of the customer relationship and which does not conflict with your basic rights and freedoms.

Data retention period:

We do not store personal data for longer than is necessary for the purpose of their use or as required by contract or law. Personal data can also be deleted in the situation when the data subject withdraws his/her consent or requests the deletion of his/her data (and there is no other legal basis for the processing).

4.3 Marketing

Purpose

Marketing and analytics

Description of the processing

We process personal data to send newsletters, for direct marketing purposes, to target and personalize marketing and content, and to analyze website usage and marketing.

Processed personal data

  • Name
  • Organization
  • Email address
  • Campaign group
  • Contact methods and phase
  • Responses
  • Marketing consents
  • Email openings, send group
Legal basis:

Legitimate interest. The above-mentioned purpose is in accordance with our legitimate interest related to the marketing of our products and services and we consider that based on the relationship or your position between you and our company, it is also a processing that you can reasonably expect and that does not conflict with your fundamental rights and freedoms, taking into account that you can also object at any time use of your personal data for direct marketing purposes.

We do not target any marketing measures to players of Seppo games, even if we have their contact information.

Consent. We process non-essential cookies only based on your consent. We also do other marketing based on your consent, if the applicable law requires it.

Data retention period:

We do not store personal data for longer than is necessary for the purpose of their use or as required by contract or law. Personal data can also be deleted in the situation when the data subject withdraws his/her consent or requests the deletion of his/her data (and there is no other legal basis for the processing).

4.4 Employees

Purpose

Employment matters

Description of the processing

We collect, store and process personal data relating to employees for fulfilling rights and obligations relating to employment agreements, customary human resource management purposes, payroll and payment of salaries as well as other employment-related rights and obligations, e.g. those based on law and collective agreements.

Processed personal data

Personal data usually provided by the employee:

Name, address, phone, birth date, social security id, bank account, education, degrees, feedback for performance review purposes, emergency contact.

Personal data usually created by the employer:

Start/end date of employment, employment contract, working time, insurance policy, position and employment related mandatory documentation.

Other data:

Work travel information (if any) and absence information.

Other sources:

Tax data.

Legal basis:

We must fulfill our obligations as an employer in relation to the requirements of the employment agreement, legislation, collective agreements and various authorities. Such processing is based on legal obligation or fulfillment of an agreement.

The processing of personal data is also necessary to fulfill our legitimate interests so that we can fulfill our obligations as an employer in relation to the employment contract, legislation, collective agreements and the requirements of various authorities. As an employee, you have a reasonable expectation in terms of your existing employment relationship to expect that we will as an employer process your data described in this privacy policy. Taking into account the purposes mentioned above, your justified expectations and the nature of the data, we consider that this processing does not conflict with your fundamental rights or freedoms.

We process information related to work ability and health, and we only carry out tests and investigations within the limits of legislation when your position requires it or if the problems caused by work otherwise give reason to them. Health information is processed to find out if there is a justified reason for the absence from work, or when the processing is necessary for the payment of sick pay or comparable health-related benefits. In addition, health status data can be processed in other situations separately regulated by law. The processing of personal data related to work ability is based on our legal obligation.

Various test data, references, suitability assessments, drug testing and other health-related checks and examinations are based on your consent.

Data retention period:

We do not store your data for a longer period than necessary for their purpose or for longer than necessary for the performance of a contract. Retention periods may also be based on applicable laws, such as employment contracts act as well as bookkeeping and tax laws. We may also update the data if necessary. Following retention periods also apply:
  • the information needed to write the employment certificate can be kept for 10 years after the end of the employment relationship;
  • payroll records can be kept for 10 years after the end of the accounting period;
  • travel, expense reimbursement and other payment receipts can be kept, e.g. for at least the current year and the following 6 years;
  • general employment data can be stored throughout the employment and for approximately 24 months after the employment has ended, due to the general time limit for presenting legal claims; and
  • a list of employees exposed at work to biological agents that cause serious danger or serious illness to persons must be kept for at least 10 years after the end of the exposure.

4.5 Recruiting and job applicants

Purpose

Recruiting

Description of the processing

We process personal data relating to recruitment so that we can receive and process job applications and make decisions about open positions or open applications, and, ultimately, offer employment and conclude employment contracts.

Processed personal data

  • Basic details
  • Education, work experience, skills
  • Possible job application and resume
  • References (with consent)
  • Data from personality and aptitude tests as well as health inspections (if any, with consent)
*Mandatory data

Legal basis:

The processing of job candidates' personal data is necessary to fulfill our legitimate interests. When you apply for a position, we must process your necessary personal data so that we can take you into account when making a decision about offering employment. When sending a job application, you have a reasonable expectation that we will process the personal data as described in this privacy policy, as it is data that is commonly processed in connection with recruitment. Taking into account the purposes mentioned above, your justified expectations, the nature of the data, and the fact that you can object to the processing as described below, we consider that the processing does not conflict with your fundamental rights or freedoms.

When we offer employment to a person, we must also process personal data for preparing an agreement.

Various test data, references, suitability assessments, drug testing and other health-related checks and examinations as well as personal data from third parties are processed based on your consent.

Retention period:

We typically store application data approximately 12 months after a recruitment process has ended. Otherwise we delete the data when we no longer need it for the original purpose. With the job applicant's consent we may store application data also for a longer period, if the applicant wishes to have his/her application saved for open positions.

4.6 Legal grounds and legal obligations

Purpose

Legal grounds and legal obligations

Description of the processing

To a limited extent, personal data may be processed and stored for legal reasons and obligations

Processed personal data

  • Accounting and bookkeeping materials*
  • Any other information required by law*
  • Preparing for and responding to legal claims and actions
  • Investigating violations
*Mandatory data

Legal basis:

Legal obligation (primarily). Statutory obligations as a basis for processing personal data relate in particular to obligations concerning accounting and book-keeping and taxes.

5. From which sources has the personal data been obtained

We receive personal data mainly from you in connection with contacting us. The information may be given by you or also derived from the use of services or website.

In addition, we may collect personal data about you from other reliable sources. Examples of data from these sources could be your public profile information (e.g. LinkedIn), interest in our products and services, and references from your colleagues or other people.

6. With whom do we share personal data

As a general rule, your personal data is processed by the personnel of our company when performing their duties. We may also use service providers for processing personal data. The service providers we use may not use personal data for any of their own purposes, but only for our benefit. We always make sure, for example through contracts, that the confidentiality of your data is maintained and that the data is also otherwise processed in accordance with the law. What data our service providers process at any given time related to the task and purpose for which we use the service provider. We may share personal data with others especially in the following situations:

a) SEPPO platform. SEPPO platform is operated on a third party platform (Heroku). Relevant customer data may be shared to our local business partners in the territory where the SEPPO platform customer is located for customer relationship management and for offering customer support. We use also third party subcontractors for developing the SEPPO platform;

b) Sales and marketing. We use third-party service providers for various sales and marketing purposes (e.g. Pipedrive, Salesloft, LeadIQ, DuxSoup and Mailjet);

c) HR and recruitment. We use cloud services for storing employment data and job applications (Google Workspace). We use service providers also for payroll and payment of salaries (Palkka.fi, Netvisor);

d) Official and other legal reasons. We may also disclose information when required by law, a court or a competent authority, to respond to a legal claim or to prepare one;

e) Corporate and business arrangements. We may also disclose information if we were involved in a merger, business transaction or other reorganization of our business; and

f) Consent of the data subject. We may also disclose information if the person has given their consent to the disclosure of information.

7. International transfers of personal data

The servers with Seppo data are located in the EU. Personal data may be transferred outside the EU/EEA especially in the following situations:

a) Our services provider, such as a cloud-based software we use for marketing, is located outside the EU/EEA;

b) We have a customer, for instance a SEPPO user, who is located outside the EU/EEA; or

c) We need to share information for customer service and support purposes to our local business partner located outside the EU/EEA.

If personal data were to be transferred outside the EU/EEA to a country that is not included in the EU Commission's decision on an adequate level of data protection, we will make sure that the processing, transfer and storage of your data is carried out on the grounds required by law and with adequate protection mechanisms, such as using the standard contract clauses confirmed by the EU Commission. The standard contract clauses can be found here (part of the text is in English): https://ec.europa.eu/info/law/law-topic/data-protection_fi. The standard contractual clauses have different modules for different situations, most likely we would apply modules 1 (controllercontroller) 2 (controller-processor) or 3 (processor-sub-processor), depending on the situation.

8. Personal data retention periods

Specific retention periods for various types of processing activities are described in Sections 4.1 to 4.6

We do not store personal data for longer than is necessary for the purpose of their use or as required by contract or law. Personal data can also be deleted in the situation when the data subject withdraws his/her consent or requests the deletion of his/her data (and there is no other legal basis for the processing). Data retention periods can also be governed by legislation (e.g. accounting law, tax laws) and the expiration of deadlines related to presenting legal claims (e.g. statutes of limitations).

The necessary storage time can vary, but typically it can mean a few years. Information that is necessary for defending against legal claims may have to be stored for up to 10 years. Accounting documentation is typically kept for 6-10 years. We maintain a minimum information register of data subject requests made in accordance with the data protection legislation (e.g. a request made by a data subject for deletion of data) so that we can demonstrate afterwards that we have implemented the requests of the data subject in accordance with the data protection legislation.

We store online behavior data collected with cookies and other similar technologies as described in the cookie statement produced by our cookie tool. The cookie statement is available on our website.

9. Your rights

You have the following rights in relation to your personal data:

Updating your own information
In case you are a registered user in our digital services, or a customer in our online store, you may have certain limited possibilities to check and update your profile data by accessing your account in the service or online store.

The right to access personal data
You have the right to receive confirmation from us as to whether we are processing personal data concerning you and to know what personal data concerning you we are processing (e.g. a copy of the data). In addition, you have the right to receive additional information about the basis of the processing of your personal data. However, the right to access personal data can be restricted based on legislation, the protection of privacy of other persons and the protection of business secrets.

The right to correct data
You have the right to have your incomplete, incorrect or outdated personal data supplemented or corrected.

The right to delete data
You have the right to request the deletion of your personal data. Your data will be deleted if there is no longer a legal basis for processing personal data.

The right to restrict processing
You may have the right to restrict the processing of your personal data. In this case, the controller generally does not process personal data other than by storing the data. You may have this right, for example, when you dispute the accuracy of your personal data, if the processing is against the law, or if you have objected to the processing of your personal data and are waiting for a response to the request for action in question.

Right to object
If we process your personal data based on our legitimate interest, you have the right to object to such processing based on your personal reasons.

The right to transfer data from one system to another
If we have processed your data on the basis of your consent or to fulfill a contract and the processing has taken place automatically, you have the right to receive the data you have provided us electronically in a commonly used machine-readable format so that the data can be transferred to another data controller.

Withdrawal of consent
If the processing of personal data is based on consent, you have the right to withdraw it at any time. Withdrawal of consent does not affect the legality of the processing of personal data that took place before the withdrawal. The processing of your personal data is based on consent, for example when you have given permission for electronic direct marketing by subscribing to our newsletter. The processing of non-essential cookies on our website is also based on your consent. You can manage the cookie consents you have given yourself using the cookie tool on our website.

The right to prohibit direct marketing
You always have the right to object to the processing of your personal data for direct marketing purposes and the right to withdraw any consent you may have given for marketing purposes.

10. How you can exercise your rights

You can exercise your rights described above by contacting us, for example, by using the contact information provided in this statement. The use of your rights is basically free of charge for you. If you submit a request electronically, we will deliver the information electronically as far as possible, unless you request otherwise. If necessary, we may ask you to verify your identity or specify your request.

You can easily prohibit email marketing, for example, by clicking the link in the header or footer of any email marketing message.

You can manage consents regarding cookies yourself directly with the cookie management tool on our website.

11. Complaint to the supervisory authority

If you believe that we do not process your personal data in accordance with this privacy statement or the applicable national and European Union data protection legislation, you can file a complaint with the supervisory authority if you wish. In Finland, the authority in question is the office of the Data Protection Commissioner (homepage: https://www.tietosuoja.fi).

12. Security

Personal data in electronic form is properly and carefully stored on servers that are protected by firewalls, passwords and other technical means in accordance with the general practices of the industry. The servers and their backups are managed according to high-level industry standards. Any written documents and materials containing personal data of data subjects are kept in locked rooms so that unauthorized persons are prevented from accessing them. Our premises are also locked and well protected. The personal data we collect and process are confidential, and we do not disclose it to anyone other than those who need the information in their work or, in accordance with this privacy statement, to our partners or other recipients.

13. Cookies

We use cookies on our website so that we can offer the best possible user experience to the website visitor. Cookies are short text files that the web server stores on the user's terminal device. Cookies give us information about how users use our website. We may use cookies to develop our services and website, to analyze website usage, and to target and optimize marketing. Non-essential cookies are processed only with the consent of the website visitor. Consent is given, it is revocable and it is managed using the cookie tool on our website, which opens to the visitor from the cookie banner on the side of the site. The cookie banner and the separate cookie statement on our site provide more detailed information about the cookies on our site.

14. Obligation to provide personal data and the consequences of not providing it

Use of certain services is only possible for registered users, so if the user does not provide their personal data, use of the service may not be possible.

With legal entity customers processing of certain personal data is also mandatory for instance for concluding and executing contracts and for invoicing purposes.

When you are an employee, we need to process certain personal data to fulfill contracts and legal rights and obligations related to employment.

In recruitment situations, it is not mandatory to provide us information. However, if you don’t provide necessary information, we may not be able to process your application.

To the extent possible, in this privacy statement and when doing business with us, we try to inform you which information is mandatory to fulfill the contract or create a user account and which information you can provide if you wish.

15. Automated decision-making and profiling

Profiling refers to any automatic processing of personal data, where personal data is used to evaluate, for example, a person's preferences or interests. We use profiling to offer the most adequate games for the new users in Seppo platform. We may use profiling in the targeting of direct marketing and digital advertising. Profiling may use information collected with cookies about what the website visitor was interested in when visiting our web pages. The use of non-essential cookies is always based on the user's consent (read more about cookies from our cookie policy). The use of information other than such that is collected with cookies, may be based in particular on our legitimate interest. You have the right to object to the processing of personal data based on our legitimate interest (including profiling for marketing purposes).

With the help of profiling, we aim to make content and marketing more relevant, personal and interesting. The profiling performed in connection with our marketing does not include automatic decision-making that would have legal effects or other similar effects on the person.

16. Changes

We may make updates to this privacy statement as our operations, services, privacy principles or applicable legislation change. Unless otherwise stated, changes will take effect when we have posted an updated privacy statement on our website. When we make material changes, we will announce the date of the changes in advance on our website or in another way we deem appropriate.

PRIVACY POLICY – SeppoQ

Lentävä Liitutaulu Oy

Last updated: June 30 2026

1. Introduction and scope

This Privacy Policy describes how Lentävä Liitutaulu Oy ("Seppo", "we", "us") collects and processes personal data in connection with the SeppoQ workplace learning platform (available at seppoq.seppo.io and on white-label domains).

This policy applies to SeppoQ only. If you use Seppo (the 1.0 game-based learning platform), please refer to the separate Seppo Privacy Policy above. Personal data means any information relating to an identified or identifiable person, such as a name, email address, or learning assessment result.

2. Controller and contact details

Lentävä Liitutaulu Oy
Business ID: 2500405-9
Päivöläntie 52
00730 Helsinki
FINLAND
www.seppo.io
Privacy contact: support@seppo.io

For any questions about how your personal data is processed in SeppoQ, please use the contact details above.

3. Roles: data controller and data processor

SeppoQ is a B2B service used by organizations to run skills simulations for their employees and learners. This creates a dual role for Seppo:

Seppo as data controller — Seppo independently determines the purpose and means of processing for:

  • Account and profile data for administrators and managers
  • Billing and contract data

Seppo as data processor — For data that learners (employees) submit within SeppoQ simulations — including responses, self-assessments, AI-generated evaluations, and skill results — the customer organization is the data controller, and Seppo processes that data solely on the organization's behalf and according to its instructions. The legal framework for this processing is the Data Processing Agreement (DPA) concluded between Seppo and the customer organization.

For learners: if you wish to exercise your data protection rights regarding data collected within a SeppoQ simulation, please contact your employer or the organization that assigned you to the simulation. They are the data controller for that data and are responsible for fulfilling your request. Seppo will assist the organization in responding to your request.

4. What data we collect, why, and on what legal basis

4.1 Account and profile data

Data collected: Name, work email address, organization name, job role within SeppoQ (administrator, manager, or learner).

Purpose: Creating and maintaining user accounts, authenticating users, providing access to SeppoQ features appropriate to the user's role, communicating about the service, and providing customer support.

Legal basis: Contract — processing is necessary for the performance of the SeppoQ service agreement and the user agreement accepted when creating an account.

Retention: For the duration of the subscription plus 6 months after termination, unless earlier deletion is requested.

4.2 Simulation responses and self-assessments

Data collected: Text responses submitted by learners to scenario-based tasks, written answers in simulation exercises, self-assessment ratings (e.g. confidence scales), and participation records (which simulations have been started or completed).

Purpose: Enabling the simulation to function; generating skill competency results and reports for the customer organization.

Legal basis: Contract — processing is necessary for Seppo to deliver the SeppoQ service on behalf of the customer organization (data processor role).

Retention: For the duration of the subscription plus 6 months after termination, or earlier if the customer organization requests deletion.

4.3 AI-generated evaluations and skill snapshots

Data collected: AI-generated assessments of learner responses (scored across three skill dimensions: knowledge, communication, and decision-making), skill percentage snapshots taken at the baseline and validation phases, and AI-generated narrative summaries of learning outcomes.

Purpose: Producing the skill results, delta reports, and organizational readiness reports that are the core output of SeppoQ.

Legal basis: Contract — processing is necessary for Seppo to deliver the SeppoQ service on behalf of the customer organization (data processor role).

Retention: Same as simulation response data.

4.4 Usage and technical data

Data collected: IP addresses, browser and device type, session timestamps, feature usage events, and error logs.

Purpose: Ensuring service reliability and security, debugging technical issues, and monitoring for unauthorized access.

Legal basis: Legitimate interest — operating a secure and well-functioning service is a legitimate interest of Seppo and its customers, and this processing does not override the rights and freedoms of users given the limited and technical nature of the data.

Retention: Rolling 90 days.

5. Hosting and security

SeppoQ is built on infrastructure hosted entirely within the European Union:

  • Database, authentication, and serverless functions: Supabase (eu-north-1 region, Stockholm, Sweden)
  • Data at rest: encrypted using AES-256 (Supabase default)
  • Data in transit: encrypted using TLS 1.2 or higher
  • Backups: stored within the EU (eu-north-1 region)
  • Access control: role-based access (admin / customer admin / manager / learner); multi-factor authentication required for all internal Seppo staff access
  • Audit logging: administrative actions are logged

No SeppoQ data is stored on servers outside the EU/EEA, with the exception of data temporarily transmitted to Anthropic for AI evaluation (see Sections 6 and 7).

6. Sub-processors

Seppo uses the following third-party sub-processors to deliver SeppoQ:

Sub-processor Purpose Location Privacy information
Supabase, Inc. Database, user authentication, serverless edge functions EU (Stockholm, Sweden – eu-north-1) supabase.com/privacy
Microsoft Corporation (Azure OpenAI Service) AI evaluation of learner simulation responses and AI-chat scenarios; AI-generated feedback and reports EU (Sweden North) microsoft.com/en-us/trust-center
Mailjet (Sinch Sweden AB) Transactional email delivery (invitations, notifications, reports) EU (France) mailjet.com/legal/privacy-policy

All sub-processors listed above process data within the European Union. Seppo enters into Data Processing Agreements with all sub-processors. We will notify customers of any intended changes to the sub-processor list at least 30 days in advance, giving customers the opportunity to object.

7. AI – how it works and the safeguards in place

AI evaluation is a core feature of SeppoQ and the primary way we generate skill results. This section explains the process and the specific protections we have built in.

How AI evaluation works

When a learner submits a written response or completes an AI-chat scenario, SeppoQ sends the response text to Microsoft Azure OpenAI Service hosted in Sweden. The model evaluates the response against defined skill criteria and returns a structured score and qualitative feedback. The evaluation result is stored in SeppoQ's EU-hosted database and forms part of the learner's skill profile. All AI processing takes place within the EU.

Safeguards

No AI training on your data. Microsoft's Azure OpenAI Service terms explicitly state that data submitted via the API is not used to train AI models, is not shared with OpenAI, and is not used to improve any Microsoft or third-party products. Learner responses are processed solely to produce the evaluation result for that learner.

Minimum respondent threshold. Aggregated results (such as team or organizational reports) are only displayed when a minimum of 5 learners have completed the relevant phase. This k-anonymity measure prevents individual responses from being identifiable in group-level data.

AI content is labeled. In the SeppoQ interface, all AI-generated content—including evaluations, feedback narratives, and report summaries—is clearly labeled so that users always know when they are reading AI output rather than human-written content.

Decision-support only. AI evaluation results in SeppoQ are tools to support human decision-making. They do not constitute automated decision-making within the meaning of GDPR Article 22 (decisions that produce legal effects or similarly significant effects on individuals). The results are always reviewed and interpreted by the customer organization's managers or HR professionals.

No sensitive categories. SeppoQ is not designed to infer or process special categories of personal data (such as health, political opinions, or ethnicity). The skill dimensions assessed—knowledge, communication, and decision-making—relate to professional competencies only.

8. International transfers of personal data

SeppoQ processes and stores all personal data within the European Union. All sub-processors (Supabase, Microsoft Azure OpenAI Service, and Mailjet) operate within the EU for the purposes described in this policy.

Some sub-processors are subsidiaries of US-based parent companies (Supabase, Inc. and Microsoft Corporation). In these cases, data processing occurs on EU infrastructure and is covered by Data Processing Agreements that include EU Standard Contractual Clauses, ensuring adequate protection in the event of any access by personnel outside the EU/EEA.

We do not transfer personal data to countries outside the EU/EEA for storage or routine processing.

9. Sharing of personal data

As a general rule, personal data in SeppoQ is accessible only to Seppo staff who need it to perform their duties, and to the customer organization's authorized administrators and managers for their own learners' data. We do not sell personal data or share it for third parties' own purposes.

We may share data in the following circumstances:

  • Sub-processors (as listed in Section 6) for the purposes described.
  • The customer organization (as data controller for their learners' data) – they have access to their own data through SeppoQ's reporting features.
  • Legal obligations – if required by law, court order, or a competent authority.
  • Corporate transactions – in connection with a merger, acquisition, or sale of business assets; we will notify affected parties in advance.

10. Your rights under GDPR

You have the following rights regarding your personal data:

Right of access – You can request a copy of the personal data we hold about you and information about how it is processed.

Right to rectification – You can request that inaccurate or incomplete data about you be corrected.

Right to erasure – You can request that your personal data be deleted where there is no longer a legitimate basis for retaining it.

Right to restriction – You can request that processing of your personal data be restricted in certain circumstances, for example while a dispute about accuracy is resolved.

Right to object – Where processing is based on our legitimate interests, you have the right to object on grounds relating to your particular situation.

Right to data portability – Where processing is based on your consent or on a contract and carried out by automated means, you can receive your data in a structured, machine-readable format.

Right to withdraw consent – Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

How to exercise your rights

Contact us at support@seppo.io. We will respond within 30 days.

For learners: please contact your employer or the organization that assigned you to SeppoQ first, as they are the data controller for your simulation data. Seppo will assist the organization in fulfilling your request.

If you believe your rights have not been respected, you can file a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

11. Cookies and similar technologies

SeppoQ uses technically necessary cookies and local storage to maintain your authenticated session and remember your preferences. These are strictly necessary for the service to function and do not require your consent.

We do not use tracking cookies, advertising cookies, or analytics cookies that profile your behavior across websites.

12. Changes to this policy

We may update this Privacy Policy as our service, technology, or legal obligations change. We will notify you of material changes by email or by a prominent notice within SeppoQ at least 30 days before the changes take effect. The current version will always be available on this page. Minor clarifications (such as correcting typos or adding sub-processor contact links) may be made without advance notice.

Lentävä Liitutaulu Oy
support@seppo.io
seppoq.seppo.io