Privacy Policy

1. Introduction

Sessiq ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our booking platform.

This policy applies to all users of our Service and complies with the General Data Protection Regulation (GDPR) and applicable Finnish data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

Sessiq
Email: privacy@sessiq.com
Address: Helsinki, Finland

3. Personal Data We Collect

3.1 Information You Provide

We collect personal data that you voluntarily provide, including:

• Contact information: Name, email address, phone number.
• Account information: Username, password (stored securely hashed).
• Booking details: Activity preferences, dates, number of participants.
• Participant information: Names and dates of birth of activity participants (where required for age verification).
• Payment information: Processed securely by our payment providers (Stripe, Paytrail). We do not store full payment card details.
• Communication records: Messages you send us through customer support.

3.2 Automatically Collected Information

When you use our Service, we automatically collect certain technical information:

• Device information: Browser type, operating system, device type.
• Usage data: Pages visited, features used, booking flow progression.
• IP address: Used for security and fraud prevention.
• Cookies and similar technologies: See our Cookie Policy section below.

4. How We Use Your Data

We process your personal data for the following purposes:

4.1 Booking Fulfillment (Contractual Necessity)

• Processing and managing your bookings.
• Sending booking confirmations and reminders.
• Facilitating communication with Activity Providers.
• Processing payments and refunds.

4.2 Account Management (Contractual Necessity)

• Creating and managing your user account.
• Providing access to your booking history.
• Processing password resets and account security.

4.3 Legal Compliance (Legal Obligation)

• Maintaining records as required by law.
• Responding to legal requests from authorities.
• Tax and accounting compliance.

4.4 Service Improvement (Legitimate Interest)

• Analyzing usage patterns to improve our Service.
• Troubleshooting technical issues.
• Conducting surveys and collecting feedback.

4.5 Marketing (Consent)

• Sending promotional emails about activities and offers (only with your explicit consent).
• You can withdraw marketing consent at any time via your account settings or unsubscribe links.

5. Data Sharing

5.1 Activity Providers

We share necessary booking information (participant names, contact details, booking specifics) with Activity Providers to fulfill your booking. Activity Providers have their own privacy policies governing their use of this data.

5.2 Service Providers

We use trusted third-party services for:

• Payment processing: Stripe (EU/US), Paytrail (Finland).
• Email delivery: Transactional email services.
• Analytics: Privacy-respecting analytics tools.
• Cloud hosting: EU-based cloud infrastructure.

All service providers are bound by data processing agreements ensuring GDPR compliance.

5.3 Legal Requirements

We may disclose your data when required by law, court order, or to protect our legal rights.

6. Data Retention

We retain your personal data for the following periods:

• Account data: While your account is active, plus 2 years after account deletion for legal compliance.
• Booking records: 7 years from the booking date (tax and accounting requirements).
• Marketing preferences: Until consent is withdrawn.
• Technical logs: Up to 90 days for security and troubleshooting.

7. Your Rights

Under GDPR, you have the following rights:

• Right of access: Request a copy of your personal data.
• Right to rectification: Correct inaccurate or incomplete data.
• Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Right to restrict processing: Limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw consent for marketing communications at any time.

To exercise these rights, contact us at privacy@sessiq.com. We will respond within 30 days.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure password hashing using industry-standard algorithms.
• Access controls and authentication for internal systems.
• Regular security assessments and updates.
• Row-level security in our database ensuring tenant data isolation.
• Account lockout protection against brute-force attacks.

9. International Transfers

Your data is primarily processed within the European Economic Area (EEA). If data is transferred outside the EEA (e.g., to payment processors), we ensure appropriate safeguards are in place, such as:

• EU-approved Standard Contractual Clauses.
• Adequacy decisions by the European Commission.
• Certification schemes such as the EU-US Data Privacy Framework.

10. Cookies

10.1 Essential Cookies

We use essential cookies necessary for the Service to function, including session management and security tokens. These do not require consent.

10.2 Analytics Cookies

With your consent, we may use analytics cookies to understand how visitors use our Service. These cookies do not identify you personally.

10.3 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.

11. Children's Privacy

Our Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 without parental consent. Participant information for minors is collected from the booking adult (parent or guardian).

12. Changes to This Policy

We may update this Privacy Policy periodically. Significant changes will be communicated via email or prominent notice on our Service. We encourage you to review this policy regularly.

13. Complaints

If you have concerns about our data practices, please contact us first. If you are not satisfied with our response, you have the right to lodge a complaint with:

Office of the Data Protection Ombudsman (Finland)
Website: tietosuoja.fi/en

14. Contact Us

For privacy-related questions or to exercise your rights, contact our Data Protection contact:

Sessiq - Privacy
Email: privacy@sessiq.com
Address: Helsinki, Finland