Privacy policy
Valve Branding Oy (trading as Valve One), Business ID: 1884268-7
Last updated: June 15, 2026, Version: 2.0
This privacy policy explains how Valve Branding Oy, operating the Valve One business and website at valveone.com ("Valve One", "Valve", "we", "us"), processes personal data relating to website visitors, customers, potential customers, business partners, event participants, newsletter subscribers, job applicants, freelancers and other persons who interact with us.
We process personal data in accordance with the EU General Data Protection Regulation ("GDPR"), applicable Finnish data protection legislation, the Finnish Act on Electronic Communications Services, and applicable rules on cookies and electronic communications.
Our website and services are intended for business users and are not directed at children.
1. Who this policy applies to
This policy applies to personal data relating to:
- visitors to valveone.com and our other digital channels;
- representatives and contact persons of our customers, potential customers, suppliers and business partners;
- people who contact us, book meetings, request proposals or otherwise communicate with us;
- newsletter subscribers and recipients of marketing communications;
- participants in events, webinars, campaigns or similar activities;
- job applicants, freelance applicants and other recruitment-related contacts;
- users of our services, platforms, forms, and other digital tools.
Where we process personal data on behalf of our customers as a processor, the customer's own privacy notice normally applies. In those cases, we process personal data under the relevant customer agreement and data processing agreement.
2. What personal data we collect
2.1. Contact and identification data
- first and last name;
- email address;
- phone number;
- company or organisation;
- job title or role;
- business address or other professional contact details;
- social media profile or username where relevant, such as LinkedIn or X/Twitter profile information.
2.2. Customer, prospect and business relationship data
- information about your employer, organisation or business area;
- information about your interests in our services;
- meeting, sales, proposal and contract-related information;
- customer relationship history;
- event, webinar or campaign participation;
- marketing preferences, consents and opt-outs;
- feedback, survey responses, and similar business interaction data.
2.3. Communication data
- messages you send to us;
- records of communications with you;
- metadata such as time, channel and recipient of communications;
- information about whether marketing emails have been delivered, opened, or clicked.
2.4. Website, device and online behaviour data
- IP address;
- device and browser information;
- approximate location derived from technical identifiers;
- website usage data, such as pages visited, time spent, links clicked and referral source;
- cookie identifiers and similar online identifiers;
- information collected through analytics, marketing automation, and similar technologies (see Section 6).
2.5. Recruitment and freelance application data
Where you apply for a role, freelance collaboration or open position, we may process:
- contact details;
- CV, portfolio, LinkedIn profile or other application materials;
- work history, education, skills and experience;
- salary expectations or availability where provided;
- interview notes and recruitment communications;
- references, where you provide them or authorise us to contact them.
Please do not provide sensitive personal data, such as health data, political opinions, religious beliefs or national identification numbers, unless specifically requested and necessary for the relevant process.
Where required, we process recruitment-related personal data in accordance with the Act on the Protection of Privacy in Working Life (759/2004) in addition to GDPR obligations.
3. Where we collect personal data from
We collect personal data from:
- you directly, for example when you contact us, complete a form, subscribe to a newsletter, book a meeting or apply for a position;
- your employer, colleagues or other business contacts;
- our customers, partners and event organisers;
- public sources, such as company websites, business registers, LinkedIn and other professional sources;
- website and marketing technologies, including cookies and analytics tools (see Section 6);
- CRM, marketing automation, and communication systems used by us.
4. Why we process personal data and our legal bases
| Purpose | Legal basis | Details |
|---|---|---|
| Responding to enquiries and contact requests | Legitimate interests; steps prior to contract | Replying to messages, arranging meetings, preparing proposals |
| Managing customer and business relationships | Contract; legitimate interests; legal obligation where applicable | Customer communication, account management, project coordination, invoicing support |
| Sales and business development | Legitimate interests | Identifying relevant business contacts, managing leads, proposal follow-up |
| Direct marketing | Consent where required; legitimate interests for B2B marketing with opt-out where permitted | B2B marketing emails, newsletters, event invitations and service updates. The Finnish Act on Electronic Communications Services and the ePrivacy Directive apply. For existing customers, we may rely on a soft opt-in with a clear opt-out where permitted. For new contacts with no prior relationship, we require opt-in consent before sending direct email marketing. |
| Marketing analytics and campaign measurement | Consent for cookie-based tracking; legitimate interests for non-cookie analytics | Measuring email performance, website interactions and campaign effectiveness |
| Website operation and security | Legitimate interests; legal obligation where applicable | Providing the website, preventing abuse, maintaining security and troubleshooting |
| Cookies and similar technologies | Consent for non-essential cookies; legitimate interests or necessity for strictly necessary cookies | Analytics, marketing cookies, embedded content and preference storage. See Section 6. |
| Events and webinars | Contract; legitimate interests; consent where applicable | Registration, participation management, follow-up communications |
| Recruitment and freelance applications | Steps prior to contract; legitimate interests; legal obligation where applicable | Assessing applications, communicating with applicants, managing recruitment |
| Legal claims and compliance | Legal obligation; legitimate interests | Handling disputes, enforcing agreements, responding to lawful requests |
| Service improvement and reporting | Legitimate interests | Improving our website, services, customer experience and internal processes |
| AI-enabled support tools | Legitimate interests; consent where required; contract where relevant | Supporting marketing, sales, content production, analytics, and CRM. See Section 7 for AI-specific disclosures. |
Legitimate interests: Our legitimate interests include developing and marketing our services, managing customer and business relationships, maintaining secure and effective systems, understanding business customer needs, and protecting our legal rights. We balance these interests against the rights and freedoms of the individuals concerned. You can object to processing based on legitimate interests at any time, as described in Section 14.
Where we rely on legitimate interests, we assess and document the relevant interest, its necessity, and the balancing of our interests against your rights and freedoms. You may contact us at privacy@valve.fi for more information about the balancing assessment relevant to your situation.
5. Direct marketing
We may send direct marketing to business contacts where communication is relevant to the person's professional role or organisation. We may also send newsletters, event invitations, and updates where you have subscribed or where otherwise permitted by law.
The Finnish Act on Electronic Communications Services, which implements the EU ePrivacy framework in Finland, applies to direct electronic marketing. For existing customers, we may rely on a soft opt-in with a clear opt-out where permitted. For new contacts with no prior relationship, we require opt-in consent before sending direct email marketing.
You can opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us at privacy@valve.fi. We may retain limited information about your opt-out to ensure that we respect your choice.
We may use CRM and marketing automation tools to understand which topics, services, or events may be relevant to you. See Section 8 for information about profiling. We do not use this information to make decisions about you that produce legal or similarly significant effects.
6. Cookies and similar technologies
Our website uses cookies and similar technologies, deployed via Google Tag Manager. Cookies are small files or identifiers stored on or accessed from your device.
The table below summarises the main categories of cookies and similar technologies we use. The exact cookies, providers, and retention periods may change depending on our website configuration. The current cookie banner and Cookie Settings tool provide the most up-to-date cookie-level information.
Where available and appropriate, we configure EU hosting, EU data-region or EU data-boundary settings for relevant systems. Some support, security, telemetry, or routing operations may still involve processing outside the EU/EEA, subject to appropriate safeguards.
| Category | Provider | Purpose | Recipient / residency | Retention |
|---|---|---|---|---|
| Strictly necessary | HubSpot, Inc. — session and security cookies | Session management, CSRF protection, form handling, language preference | HubSpot, EU data residency configured; limited support access may involve approved international transfers | Session / according to provider settings |
| Strictly necessary | Our cookie consent platform / banner provider | Storing your cookie consent choices and preference signals | Consent platform provider; EU where available | According to CMP settings |
| Analytics | Google Analytics 4 via Google Tag Manager | Measuring page traffic, user behaviour and content performance | Google Ireland Ltd. / Google LLC; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF | According to analytics settings, generally not longer than necessary for analytics and reporting |
| Analytics | HubSpot analytics | Tracking visits and page interactions for CRM and marketing analysis | HubSpot, EU data residency configured; limited support access may involve approved international transfers | According to HubSpot settings |
| Marketing | Google Ads / Google Tag Manager remarketing tags | Conversion tracking, remarketing audience building, ad performance measurement | Google Ireland Ltd. / Google LLC; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF | According to advertising platform settings |
| Marketing | LinkedIn Insight Tag, if enabled and consented | Campaign conversion tracking and LinkedIn audience retargeting | LinkedIn Ireland / LinkedIn Corporation; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF | According to LinkedIn settings |
| Marketing | Meta Pixel / Facebook Pixel, if enabled and consented | Campaign conversion tracking and Meta audience retargeting | Meta Platforms Ireland / Meta Platforms, Inc.; processing includes the United States (extra-EEA), under SCCs | According to Meta settings |
| Functional / preference | HubSpot personalisation and A/B testing cookies | Remembering preferences and supporting A/B content experiments | HubSpot, EU data residency configured | According to HubSpot settings |
Analytics, marketing, and functional cookies are used only with your consent unless they are strictly necessary for the service you have requested. You can accept, reject or manage cookie categories through the cookie banner or the Cookie Settings link on our website. You can also manage cookies through your browser settings.
Essential cookies cannot be disabled through the cookie banner where they are required for the website to function and are not subject to the consent requirement. Analytics, marketing, and functional cookies require your consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
For an up-to-date cookie-level declaration, including individual cookie names, providers, purposes and validity periods, see the cookie banner or Cookie Settings link on our website, or contact us at privacy@valve.fi.
7. AI-enabled tools
We may use AI-enabled tools to support marketing, sales operations, content production, analytics, customer relationship management, and internal productivity. These tools may help us draft content, classify information, summarise communications, analyse campaign performance, or support service delivery. The AI service providers we currently use are listed in Section 10.
Where AI-enabled tools process personal data, we apply a risk-based AI governance framework that helps us classify data and AI services. We also apply appropriate operational safeguards including access controls, vendor review, contractual protections, and data minimisation. We do not use AI tools to make decisions about individuals that produce legal or similarly significant effects without appropriate human involvement. AI services are used primarily as tools supporting human decision-making and content creation. Valve One personnel remain responsible for reviewing outputs before they are used in business activities.
We instruct our personnel not to enter unnecessary personal data, confidential customer data, special-category data or sensitive business information into AI tools unless the tool has been approved for that purpose and appropriate contractual, security and access safeguards are in place.
EU AI Act — transparency obligations (Article 50, applying from 2 August 2026):
- Interaction disclosure: Where any AI system deployed by Valve One interacts directly with you, we will inform you at the point of interaction that you are engaging with an AI system, unless this is obvious from the context.
- AI-generated content: Where AI-generated content is required to be labelled or marked under applicable law, we will apply the required labelling.
8. Profiling and automated processing
We use CRM and analytics tools, including HubSpot, to understand how you interact with our website, emails and content — for example, which pages you visit, which emails you open or click, and which content you engage with. Where we combine and analyse this information to evaluate your likely professional interests or to tailor marketing, this may constitute profiling under GDPR Art. 4(4).
We may use such profiling to personalise marketing communications, to make content and communications more relevant to your professional role and organisation, and to support Account-Based Marketing (ABM) activities directed at relevant business decision-makers. Where we carry out profiling for these purposes, we rely on our legitimate interests (GDPR Art. 6(1)(f)) and balance those interests against your rights and freedoms.
Right to object to profiling for direct marketing: You have the right to object to profiling carried out for direct marketing purposes at any time. Where you object, we will stop such profiling. To object, contact privacy@valve.fi or use the unsubscribe link in any of our communications.
We do not use solely automated decision-making that produces legal or similarly significant effects on you (GDPR Art. 22).
9. Recipients of personal data
We may share personal data with:
- companies within the Valve Group, where necessary for the purposes described in this policy;
- IT, hosting, CRM, marketing automation, analytics, security, communications and business-system providers;
- event partners, webinar platforms or campaign partners where you participate in a joint activity;
- professional advisers, such as auditors, legal advisers and consultants;
- public authorities, courts or regulators where required by law or necessary to protect our legal rights;
- transaction parties where necessary in connection with a merger, acquisition, restructuring or similar business transaction.
We do not sell personal data.
Where service providers process personal data on our behalf, we use written agreements requiring them to process personal data only according to our instructions and to apply appropriate security measures.
10. Service providers, processors and other recipients
The table below lists the material service providers, processors and sub-processors we currently use for the processing activities described in this privacy policy. Some providers process personal data on our behalf as processors. Others may act as independent controllers or joint controllers for specific services, depending on their terms and how the service is used — this is often the case for advertising platforms such as Google Ads, LinkedIn and Meta.
This list may change as our systems, services and customer needs develop. See Section 17 for how we handle material changes to this list.
| Service provider | Service / purpose | Data processed | Data residency / location | Safeguards | Compliance link |
|---|---|---|---|---|---|
| Google Ireland Ltd. / Google LLC Google Analytics 4 |
Website analytics and performance measurement | Page views, session data, device/browser info, IP address where processed, user behaviour and cookie identifiers. | Google Ireland Ltd. / Google LLC; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF. | Google terms/DPA where applicable; consent-gated analytics cookies; IP and data minimisation settings where available; SCCs/transfer safeguards where applicable. | Google Ads — Processor terms |
| Google Ireland Ltd. / Google LLC Google Ads / Google Tag Manager |
Advertising, conversion tracking and remarketing | Cookie identifiers, IP address, page URL, conversion events, remarketing audience data. | Google Ireland Ltd. / Google LLC; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF. | Google terms/DPA where applicable; consent-gated marketing cookies; SCCs/transfer safeguards where applicable. | Google Ads — Processor terms |
| LinkedIn Ireland Unlimited Company / LinkedIn Corporation LinkedIn Insight Tag |
B2B campaign analytics and audience retargeting, loaded via GTM when consent is given | Cookie identifiers, IP address, URL, device data; may be linked to LinkedIn profile where user is logged in. | LinkedIn Ireland; processing includes the United States (extra-EEA), under SCCs and the EU-US DPF. | LinkedIn terms/DPA where applicable; SCCs/transfer safeguards; consent-gated marketing cookie. | LinkedIn — DPA |
| Meta Platforms Ireland Ltd. / Meta Platforms Inc. Meta Pixel |
Campaign conversion tracking and audience retargeting, loaded via GTM when consent is given | Cookie identifiers, IP address, URL, device data, conversion events. | Meta Ireland; processing includes the United States (extra-EEA), under SCCs. | Meta terms/DPA where applicable; SCCs/transfer safeguards; consent-gated marketing cookie. | Meta — Data processing terms |
| HubSpot, Inc. HubSpot CRM / Marketing Hub |
CRM, marketing automation, email marketing, forms and analytics | CRM contacts and company records; lifecycle, marketing and sales activity data; email marketing data; analytics/tracking data as configured; user accounts. | EU data residency configured; limited support or access may involve approved international transfers. | DPA in place; EU data residency configured; RBAC/least privilege; data minimisation; SCCs/transfer safeguards where applicable. | HubSpot — DPA |
| Supermetrics Oy Supermetrics |
Data connectors and reporting automation | Connector data pulled from client systems; authorisation tokens; user accounts; logs/metadata. | EU data residency configured; possible limited global processing for certain connectors or support. | Data processor terms in place; secure tokens/scopes; access controls; data minimisation; transfer safeguards where applicable. | Supermetrics — Processor terms |
| Databox, Inc. Databox |
Metrics, dashboards and reporting | Connected-source metrics; user accounts; connector tokens; logs/metadata; any personal data in connected datasets. | US / global processing. | DPA in place; secure connector tokens/scopes; access controls; minimise personal data; transfer safeguards where applicable. | Databox — DPA |
| Canva Pty Ltd Canva |
Design and creative production | Design files and uploaded assets; team/user accounts; comments/sharing; logs/metadata. | Global cloud processing, including outside the EU/EEA (default configuration). | DPA in place; data residency setting where available; RBAC/least privilege; minimise personal data in uploaded assets. | Canva — DPA |
| Adobe Inc. / Adobe Systems Software Ireland Ltd. Adobe Creative Cloud |
Creative production and cloud-stored creative assets | Cloud-stored creative assets; user accounts; logs/metadata; any personal data embedded in assets. | Global processing, including in the United States (default configuration). | DPA in place; access controls; minimise personal data in assets; configure regional controls where applicable. | Adobe — DPA |
| Microsoft Corporation / Microsoft Ireland Operations Ltd. Microsoft 365 / Azure |
Email, files, collaboration, cloud infrastructure and identity services | Tenant customer content including email, files, Teams and SharePoint; identity/account data; logs/telemetry depending on configuration; Azure workload data. | EU Data Boundary configured for tenant data at rest; limited global access or processing may apply for support, security or operations. | Microsoft DPA; EU Data Boundary controls; RBAC/MFA; encryption; SCCs/transfer safeguards for relevant extra-EEA processing. | Microsoft — DPA |
| Microsoft Corporation / Microsoft Ireland Operations Ltd. Microsoft 365 Copilot |
AI-enabled productivity within Microsoft 365 | User prompts and outputs; Microsoft 365 organisational content via Microsoft Graph; account and usage metadata. | EU Data Boundary or other regional settings where configured; routing, support or model-related processing may involve extra-EEA processing depending on tenant and service configuration. | Microsoft DPA; permission-based access via Microsoft Graph; RBAC/MFA; encryption; prompts and Graph data not used to train Microsoft foundation models according to Microsoft commitments; transfer safeguards where applicable. | M365 Copilot — Privacy |
| RealtimeBoard, Inc. d/b/a Miro Miro |
Online whiteboards and collaboration | Board content; comments; attachments; user profiles; logs/metadata. | EU data residency configured; limited support access may involve approved international transfers. | DPA in place; EU data residency configured; RBAC/least privilege; minimise personal data in boards. | Miro — DPA |
| monday.com Ltd. monday.com Work OS |
Work management, tasks and project collaboration | Boards/tasks; updates/comments; files/attachments; user accounts; logs/metadata. | EU Data Region configured; limited support access may involve approved international transfers. | DPA in place; EU data region configured; RBAC/least privilege; data minimisation; SCCs/transfer safeguards where applicable. | monday.com — DPA |
| Celonis SE Make (formerly Integromat) |
Workflow automation and system integrations | Workflow scenario data; payloads passing through automations; connector tokens; logs/metadata. | EU data residency configured; limited support access may involve approved international transfers. | DPA in place; EU environment configured; restrict connector scopes; secure tokens; data minimisation. | Make — DPA |
| Atlassian Pty Ltd / Atlassian Network Services, Inc. Confluence & Jira Cloud |
Project management, issue tracking and documentation | Project/task data; wiki/pages; comments; attachments; user profiles; access logs/metadata. | EU data residency configured; limited support access may involve approved international transfers. | DPA in place; EU data residency configured; RBAC/least privilege; transfer safeguards where applicable. | Atlassian — DPA Atlassian — Data residency |
| Functional Software, Inc. d/b/a Sentry Sentry |
Error monitoring and event reporting | Error/event payloads which may include reporter email, IP address, device, location and content depending on configuration. | EU region where enabled; otherwise US/global processing may apply. | DPA in place; EU region where required; scrub/minimise personal data in events; access controls; retention controls. | Sentry — DPA |
| Kinsta Inc. Managed WordPress hosting / database |
Website hosting and database services | WordPress user database; eCommerce order/purchase data where applicable; logs/technical metadata. | EU data centre configured; limited support access may involve approved international transfers. | DPA in place; EU data centre configured; RBAC/least privilege; encryption in transit; transfer safeguards where applicable. | Kinsta — DPA |
| Semrush Holdings, Inc. Semrush SEO / Marketing Platform |
SEO, marketing analysis and reporting | User accounts; SEO/marketing projects and reports; query/log data; any personal data submitted in projects. | US / global processing. | DPA in place; access controls; minimise personal data in projects/exports; SCCs/transfer safeguards where applicable. | Semrush — DPA |
| OpenAI Ireland Ltd. / OpenAI OpCo, LLC ChatGPT Enterprise |
AI-enabled productivity, analysis, drafting and internal support | Prompts/inputs and outputs; workspace content and files if uploaded; user/account identifiers; logs/metadata. | EU data residency configured for the workspace; some non-eligible features may involve US/global processing. | OpenAI DPA; no training on business data by default; retention/admin controls where available; encryption; transfer safeguards where applicable. | OpenAI — DPA OpenAI — Enterprise privacy |
| OpenAI Ireland Ltd. / OpenAI OpCo, LLC OpenAI API |
AI API services and integrations | API inputs including prompts/files depending on endpoint; outputs; request metadata. | United States / global processing; transfers outside the EU/EEA covered by OpenAI's DPA and SCCs. | OpenAI DPA; API data not used for training by default; data controls/retention options; minimise payloads; transfer safeguards where applicable. | OpenAI — DPA OpenAI — Your data |
| Google LLC / Google Ireland Ltd. Gemini for Google Workspace |
AI features within Google Workspace | Workspace content and user inputs used with Gemini features; generated outputs; service usage metadata. | Within our Google Workspace EU data residency configuration; subject to Workspace product limitations. | Google Cloud/Workspace DPA; Workspace Gemini privacy commitments; data-region controls configured; access controls; minimisation. | Google Workspace — Gemini Google Cloud — DPA |
| Google LLC / Google Ireland Ltd. NotebookLM |
AI-supported source analysis, note-taking and summarisation | User-provided sources/files; notes; chat history and outputs; Workspace/Cloud account identifiers; usage metadata. | Within our Google Workspace EU data residency configuration; subject to product route and configuration. | Google Cloud/Workspace DPA where applicable; enterprise/project controls; access controls; minimise uploaded source materials. | NotebookLM Enterprise Google Cloud — DPA |
| Google LLC / Google Ireland Ltd. Gemini API via Google Cloud Vertex AI |
AI API services through Google Cloud Vertex AI | Prompts/inputs and outputs; request metadata; files/context sent; logs/telemetry as configured. | According to the Google Cloud region selected for the relevant workload; EU regions available where configured. | Google Cloud DPA; use EU endpoints/locations where required; IAM/least privilege; encryption; data minimisation. | Vertex AI — Locations Google Cloud — DPA |
| Anthropic, PBC Claude.ai / Claude for Work |
AI-enabled productivity, drafting, analysis and workspace support | Prompts/inputs and outputs; account/workspace identifiers; uploaded files/content; optional feedback/bug-report content. | Processed in the United States and other locations where Anthropic and its sub-processors operate; transfers outside the EU/EEA covered by Anthropic's DPA and SCCs. | Anthropic DPA for commercial products where applicable; SCCs; commercial data not used for model training by default according to vendor commitments; access controls; data minimisation. | Anthropic — DPA Anthropic — Training policy |
| Anthropic, PBC Claude API |
AI API services and integrations | API prompts/inputs and outputs; request metadata/logs as applicable. | Processed in the United States and other locations where Anthropic and its sub-processors operate, under Anthropic's DPA and SCCs. | Anthropic DPA where applicable; SCCs; commercial/API data not used for training by default according to vendor commitments; retention controls where available; API key controls; minimisation. | Anthropic — DPA Anthropic — API & data retention |
| Anthropic, PBC Claude Cowork |
AI-enabled task and workspace support | Task/workspace content accessed depending on permissions/connectors; prompts/outputs; account/workspace metadata. | Processed in the United States and other Anthropic operating locations, under Anthropic's DPA and SCCs. | Anthropic commercial terms/DPA where applicable; least privilege for connectors; access controls; data minimisation; tenant retention settings to be confirmed before broad deployment. | Anthropic — DPA Claude Cowork |
| Anthropic, PBC Claude Code |
AI-assisted coding | Prompts/inputs and outputs during coding sessions; source code snippets/file context; account/workspace identifiers; usage/productivity metadata; optional feedback content. | Processed in the United States and other Anthropic operating locations, under Anthropic's DPA and SCCs; local session storage may also apply. | Anthropic DPA/commercial terms where applicable; no training on commercial prompts/code by default according to vendor commitments; retention controls where available; local transcript controls; minimisation. | Claude Code — data usage Anthropic — DPA |
For further information about service-provider safeguards or to request information about relevant SCCs, contact privacy@valve.fi.
11. International transfers
Some of our service providers may process personal data outside the EU or EEA, including in the United States. Where personal data is transferred outside the EU or EEA, we rely on one or more of the following safeguards:
- Adequacy decision: an adequacy decision adopted by the European Commission for the recipient country.
- EU–U.S. Data Privacy Framework (DPF): where the US recipient is self-certified under the EU–U.S. DPF (adequacy decision of 10 July 2023).
- Standard Contractual Clauses (SCCs): the European Commission's SCCs (Commission Implementing Decision 2021/914), supplemented where required by a transfer impact assessment.
- Supplementary measures: additional technical, contractual, or organisational measures where the transfer assessment identifies residual risk.
For the following systems we have configured EU data residency, EU hosting or EU data-region settings so that primary storage and processing take place within the EU/EEA: HubSpot, Supermetrics, Microsoft 365/Azure, Miro, monday.com, Make, Kinsta, Atlassian Confluence & Jira Cloud, ChatGPT Enterprise, and Google Workspace (including Gemini for Google Workspace and NotebookLM). These settings are intended to limit the primary storage or processing location; limited extra-EEA access or processing may still occur, for example for support, security, telemetry, routing or provider operations, subject to appropriate transfer safeguards.
Other systems, including certain advertising, analytics, and AI services, may process personal data outside the EU/EEA under the safeguards described above. You may contact us at privacy@valve.fi for further information about the transfer safeguards applicable to specific providers.
12. Retention of personal data
We keep personal data only for as long as necessary for the purposes described in this policy, unless a shorter or longer period is required or permitted by law, contract, accounting obligations, dispute handling or other legitimate necessity.
General rule: We retain personal data for up to five years from the last meaningful interaction with you, the end of the relevant customer or business relationship, or the end of the applicable process — unless a shorter retention period applies under the table below, or a longer period is required by law or to establish, exercise or defend legal claims.
Meaningful interaction: A meaningful interaction means an intentional or business-relevant engagement with us, such as a direct communication, meeting, proposal request, event registration, form submission, newsletter subscription, customer project interaction or similar active engagement. A passive website visit, an automatic email open event or an isolated analytics signal does not by itself restart the general retention period.
| Data category | Retention period or criterion |
|---|---|
| Contact enquiries and meeting requests | Up to 5 years after the last meaningful interaction, unless a customer or business relationship begins |
| Customer and business relationship data | For the duration of the relationship and up to 5 years after the relationship ends, unless a longer period is required for legal, accounting, reporting or claims purposes |
| Marketing contacts | Up to 5 years after the last meaningful interaction, unless you opt out earlier or the data is no longer relevant |
| Newsletter subscriptions | Until you unsubscribe or the newsletter is discontinued; opt-out records may be retained as necessary to respect your choice |
| Marketing opt-out records | As long as necessary to respect the opt-out, which may exceed 5 years where necessary to ensure the opt-out remains effective |
| Website analytics and cookie data | According to analytics and cookie platform settings; not longer than necessary for analytics and reporting purposes |
| Cookie consent records | As long as necessary to demonstrate and manage consent decisions |
| Event and webinar data | Up to 5 years after the event or last meaningful follow-up interaction |
| Recruitment and freelance application data | Normally, up to 24 months after the recruitment or application process. We may retain data for up to 5 years where you consent to remain in a talent or freelance pool, where we have an ongoing freelance or business relationship with you, or where longer retention is necessary to establish, exercise or defend legal claims. |
| Contract, invoicing and accounting records | As required by applicable accounting and legal obligations, which may be longer than 5 years |
| Legal claims and dispute records | As long as necessary to establish, exercise or defend legal claims |
When personal data is no longer needed, we delete it or anonymise it so that it can no longer be attributed to an identified or identifiable person.
13. Security
We apply technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. These measures may include:
- access controls and role-based permissions;
- personal user accounts and passwords;
- multi-factor authentication where appropriate;
- encryption in transit and, where applicable, at rest;
- secure hosting and system configuration;
- logging and monitoring;
- backup and recovery processes;
- vendor and service-provider review;
- personnel confidentiality obligations;
- internal data protection and information security procedures;
- incident response processes.
We assess security measures based on the nature of the processing, the risks to individuals, and the confidentiality, integrity, availability, and resilience of the systems involved. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman within 72 hours in accordance with GDPR Article 33 and will inform affected individuals where required under GDPR Article 34.
14. Your rights
You have the following rights under applicable data protection law:
- Right of access: you may request confirmation of whether we process your personal data and receive a copy of the data.
- Right to rectification: you may request correction of inaccurate or incomplete data.
- Right to erasure: you may request deletion of your personal data in certain circumstances.
- Right to restriction: you may request restriction of processing in certain circumstances.
- Right to data portability: where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used and machine-readable format.
- Right to object: you may object to processing based on legitimate interests at any time.
- Right to object to direct marketing: you may object to direct marketing at any time. This right is absolute — we will cease processing for direct marketing without requiring justification.
- Right to object to profiling for direct marketing: you may object to profiling carried out for direct marketing purposes at any time. See Section 8.
- Right to withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- Rights relating to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling, where it produces legal or similarly significant effects, unless permitted by law.
To exercise your rights, you may contact us at privacy@valve.fi. We may ask for information necessary to confirm your identity or clarify your request. We will respond within one calendar month as required by GDPR Article 12(3).
15. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority if you consider that our processing of your personal data infringes data protection law. In Finland, the supervisory authority is:
Office of the Data Protection Ombudsman (Tietosuojavaltuutettu)
Website: tietosuoja.fi
Email: tietosuoja@om.fi
PO Box 800, FI-00531 Helsinki, Finland
We encourage you to contact us first at privacy@valve.fi so that we can try to resolve the matter directly.
16. Providing personal data
Providing personal data may be necessary for us to respond to your enquiry, provide services, enter into or perform a contract, send requested communications, process an application, or comply with legal obligations. If you do not provide necessary personal data, we may not be able to respond to your request, provide services, process your application, or maintain the relevant business relationship.
17. Changes to this privacy policy
We may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, supervisory guidance, or service-provider arrangements. The latest version will always be available on our website at valveone.com/privacy-policy with a revised Last Updated date.
Material changes: Where we make a material change — such as a new processing purpose, a new category of personal data, a significant change to our service-provider list, or a change to how we handle your rights — we will notify registered contacts by email where we hold a valid address and have a lawful basis to use it. We will provide reasonable advance notice before material changes take effect where appropriate.
Service-provider changes: We may update our service-provider list as systems and services change. Where required by applicable data protection law or our customer agreements, we will provide notice of material additions or replacements and allow customers to raise reasonable data protection objections within the period specified in the applicable data processing agreement.
Controller: Valve Branding Oy
Business ID: 1884268-7
Address: Sturenkatu 16, 00510 Helsinki, Finland
Privacy contact: privacy@valve.fi