GrindzeroSuomeksi

Privacy Policy

Last updated: May 26, 2026

Data Controller: Grindzero Oy (3411998-2), Mukulakuja 4 A9, 04300 Tuusula

This Privacy Policy describes how Grindzero Oy ("Data Controller") processes the personal data of users of the Grindzero application and related digital services ("Service"). The Service is primarily intended for business and organizational customers.

Scope

This Privacy Policy applies to the processing of personal data related to the use of the Service. The policy covers users acting on behalf of Business Users (e.g., employees and drivers).

Personal data processed

The following personal data may be processed in the Service:

  • phone number (user identifier and login)
  • email address (user identifier and login)
  • name, company, and position
  • technical identifiers related to the user account
  • location data during use of the Service
  • images and documents uploaded to the Service that may contain personal data
  • log and usage data (e.g., logins, timestamps)
  • message or contact content
  • technical data (e.g., IP address, cookie data)

Purpose of personal data processing

Personal data is collected for the following purposes:

  • user identification and login
  • implementing Service functionalities
  • coordinating construction sites and logistics
  • ensuring the security and functionality of the Service
  • fulfilling legal obligations

Legal basis for processing

Processing of personal data is based on:

  • contract (Service Terms of Service)
  • legitimate interest of the data controller (safe and efficient use of the Service)
  • applicable legislation

Location data

Location data is processed only while the Service is in use. Drivers' location data may be shared with other Service users for the purpose of coordinating construction site logistics.

Text messages and authentication

Login is performed using a one-time SMS verification code. A third-party service (GatewayAPI) is used for sending text messages. Verification codes are automatically deleted after use.

Data retention period

Data is retained only for as long as necessary for the purpose of processing or as required by law. Users may request account deletion via self-service in the admin application. After deletion, data is anonymized after the organization's retention period (default 30 days).

Recipients and third parties

The Service uses the following processors:

  • Supabase (Supabase Inc.): authentication, database, and file storage (EU region)
  • Google Maps Platform (Google LLC): map and location services
  • GatewayAPI (OnlineCity ApS): SMS messages
  • Resend (Resend Inc.): transactional emails
  • Sentry (Functional Software Inc.): error tracking and performance monitoring

Data disclosure and transfer

Data is not disclosed to third parties unless necessary for the provision of the Service (e.g., website hosting, invoicing) or required by law. Data is not transferred outside the EU or EEA without an adequate level of protection.

Data subject rights

The data subject has the right to:

  • access their personal data
  • request correction of inaccurate data
  • request deletion of data or their user account ("right to be forgotten")
  • object to or restrict data processing
  • withdraw consent (if processing is based on consent)
  • file a complaint with the Data Protection Ombudsman

Account deletion can be done via self-service in the admin application (admin.grindzero.app → Profile → Delete account). Other requests can be sent to info@grindzero.fi.

Data security

Data is processed with care and protected by technical and administrative measures. Only persons who are authorized to process data in the course of their duties have access to it.

Changes to this policy

The Data Controller may update this Privacy Policy. Material changes will be communicated through the Service.

Contact

For data protection inquiries, please contact:

Grindzero Oy Mukulakuja 4 A9, 04300 Tuusula Finland info@grindzero.fi