Sivussa Privacy Policy

Last updated: 2026-04-17

Controller
Harri Ahokas ("Sivussa", "we", "us", "our")
Business ID (Y‑tunnus): 2101028-3
Address: Inglaksenrinne 11, 02780 Espoo, Finland
Email: [email protected]

1. Scope of This Privacy Policy

This Privacy Policy explains how Sivussa collects, uses, discloses, and otherwise processes personal data in connection with:

  • our website at sivussa.com;
  • one-time audit purchases and subscriptions;
  • delivery of audit reports by email;
  • communications with customers and prospective customers; and
  • the performance of public-information website audits.

This Policy applies to both business customers (B2B) and consumers (B2C) where we act as a data controller for our own operations.

This Policy does not replace the privacy policies of third parties that operate services we use, most importantly Stripe for payment processing and subscription billing management.

2. Who We Are and Our Role

For the personal data described in this Privacy Policy, Sivussa generally acts as the controller for its own website, order handling, audit operations, communications, and service delivery.

In some parts of the payment and billing flow, Stripe acts as an independent controller or service provider for its own payment, fraud prevention, billing, and customer portal functions under Stripe’s own legal terms and privacy documentation.

3. Personal Data We Collect

3.1 Data you provide directly

When you purchase an audit or subscribe, we typically receive or collect only the information necessary to operate the service, such as:

  • your email address;
  • the domain name or URL you want us to audit;
  • the type of plan you selected (for example one-time, monthly, or quarterly);
  • the date and time of purchase or subscription event; and
  • any support or contact information you choose to send us by email or contact form.

3.2 Payment and billing data

Sivussa does not store your full payment card details. Payment credentials are collected and processed by Stripe. Sivussa typically receives only limited payment-related information needed to provide the service, such as:

  • payment status;
  • customer email;
  • transaction date;
  • plan or product selected; and
  • limited subscription/billing metadata.

3.3 Data generated when we perform an Audit

To generate an Audit, we process information that is publicly accessible on the Target Site you submit, including, where relevant:

  • public pages and page content;
  • public HTML metadata, schema, headings, links, and technical signals;
  • public performance-related observations; and
  • other publicly reachable content or markup that is reasonably necessary to produce the Audit.

If publicly accessible pages contain personal data, that data may be processed incidentally as part of analyzing the page.

3.4 Technical and website usage data

When you visit our website, we or our hosting/infrastructure providers may process limited technical data for security and operations, such as:

  • IP address;
  • browser type and version;
  • device / operating system information;
  • request timestamps;
  • referrer and request logs; and
  • similar server or network security logs.

We aim to minimise such data and use it only as necessary for website operation, security, abuse prevention, and troubleshooting.

4. How We Use Personal Data

We use personal data for the following purposes:

4.1 To provide the Service

  • create and administer your Order;
  • start and perform the Audit after successful payment;
  • generate and deliver the Report;
  • manage subscriptions and billing events;
  • respond to support questions and delivery issues.

4.2 To operate, secure, and improve the website and service

  • maintain website and service security;
  • prevent fraud, misuse, and abuse;
  • diagnose technical issues;
  • improve audit quality, workflows, and service reliability.

4.3 To comply with legal obligations

  • maintain accounting and tax records;
  • comply with legal, regulatory, and law-enforcement obligations where applicable;
  • establish, exercise, or defend legal claims.

4.4 To communicate with you

  • send service-related emails (for example delivery, billing, or support communications);
  • notify you about material changes to our legal terms where required.

We do not need your full payment card details to provide the Service.

5. Legal Bases for Processing (GDPR / EEA / UK)

Where GDPR or similar rules apply, we generally rely on one or more of the following legal bases:

5.1 Performance of a contract

We process your email address, order details, target domain, and service-delivery data where necessary to:

  • take your Order;
  • start the Audit;
  • generate the Report; and
  • deliver the Service you purchased.

5.2 Legitimate interests

We may process certain data where necessary for our legitimate interests, including to:

  • operate and secure the Site and Service;
  • prevent fraud and abuse;
  • analyze publicly accessible websites in order to deliver requested Audits;
  • maintain business records; and
  • improve service quality and reliability.

When we rely on legitimate interests, we aim to ensure that the processing is proportionate and does not override the rights and freedoms of affected individuals.

5.3 Legal obligation

We may process personal data where necessary to comply with legal obligations, including tax, accounting, anti-fraud, consumer protection, and law-enforcement obligations.

5.4 Consent, where required

Where required by law, we rely on consent for non-essential cookies or similar technologies, and for any other processing activity for which consent is the appropriate legal basis.

6. AI-Assisted Processing

Sivussa uses automated methods and may use AI models, including large language models, to help generate parts of the Report.

We design the process to provide only the minimum information reasonably needed to those AI components, which typically means:

  • the domain / URL to audit;
  • the email address needed to deliver the report; and
  • the publicly accessible website content reasonably necessary to analyze the submitted site.

We do not request credentials for private systems as part of the standard service, and the service is designed to work on publicly accessible information only.

The service is not intended to perform:

  • emotion recognition;
  • biometric categorisation; or
  • the intentional collection of special categories of personal data.

7. Cookies and Similar Technologies

Our website may use cookies or similar technologies for strictly necessary purposes such as:

  • website security;
  • session integrity;
  • load balancing;
  • payment-link handoff or related checkout continuity; and
  • basic website operation.

If we use non-essential cookies or similar technologies (for example analytics, preferences, or marketing technologies), we will seek consent where required by law and provide an appropriate cookie banner or preference tool.

Important: This Privacy Policy is not a substitute for a cookie declaration or preference center. If you enable non-essential cookies, your cookie disclosure and consent tooling should be updated accordingly.

8. Payments, Billing, and Stripe

We use Stripe for payment processing and subscription billing management, including Stripe-hosted checkout and the Stripe Customer Portal.

This means:

  • payment credentials are generally collected and handled by Stripe;
  • customers may manage billing and subscription status through Stripe’s Customer Portal; and
  • Stripe may process personal data for payment processing, fraud prevention, regulatory compliance, and portal functionality under Stripe’s own legal terms and privacy documentation.

Stripe’s privacy documentation is available at:

9. Who We Share Personal Data With

We may share personal data with the following categories of recipients where necessary:

9.1 Payment and billing providers

  • Stripe and related payment infrastructure providers for payment processing, billing, customer portal functions, fraud prevention, and related operational needs.

9.2 Infrastructure and service providers

  • hosting providers;
  • email delivery or communication providers;
  • website security and operational tooling providers;
  • AI / model providers used to help generate the Service;
  • professional advisers, auditors, and contractors acting on our behalf.

9.3 Authorities and legal recipients

We may disclose personal data where required by law, court order, or competent authority, or where necessary to establish, exercise, or defend legal claims.

9.4 Business transfers

If Sivussa is involved in a merger, acquisition, financing, reorganization, or sale of assets, personal data may be transferred as part of that transaction subject to appropriate confidentiality and legal safeguards.

We do not sell personal data as part of the ordinary operation of the Service.

10. International Data Transfers

Some of our service providers may process personal data outside the European Economic Area, the United Kingdom, or your country of residence.

Where we transfer personal data internationally, we aim to use an appropriate transfer mechanism where required by law, such as:

  • an adequacy decision; or
  • Standard Contractual Clauses (SCCs) or other appropriate safeguards.

Because Stripe and other global providers may process data internationally, international transfers can occur as part of payment processing, infrastructure, or support operations.

11. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Policy, including:

  • service delivery;
  • report delivery and support;
  • dispute handling;
  • fraud prevention;
  • legal and accounting record-keeping; and
  • business continuity and security.

Retention periods may vary depending on the type of data and legal requirements. For example:

  • order, invoice, and accounting data may be kept as required by applicable tax and accounting laws;
  • support correspondence may be retained for operational and dispute-resolution purposes; and
  • technical logs may be retained for security and troubleshooting for a limited period unless longer retention is necessary.

We aim not to retain personal data longer than necessary.

12. Your Rights

If GDPR or similar data protection law applies to you, you may have the right to:

  • be informed about the processing of your personal data;
  • request access to your personal data;
  • request rectification of inaccurate or incomplete data;
  • request erasure in certain circumstances;
  • request restriction of processing in certain circumstances;
  • receive your personal data in a portable format where applicable;
  • object to processing based on legitimate interests in certain circumstances; and
  • lodge a complaint with a competent supervisory authority.

To exercise your rights, contact us at [email protected]. We may need to verify your identity before completing a request.

If you are in the EU/EEA, you may also complain to your local supervisory authority. If Sivussa’s main establishment is in Finland, the competent authority may include the Office of the Data Protection Ombudsman (Finland).

13. Data Relating to Children

The Service is not directed to children and is not intended for individuals under 18 years of age.

We do not knowingly collect personal data directly from children. If you believe that a child has provided personal data to us inappropriately, contact us and we will investigate.

14. Security

We use reasonable administrative, technical, and organizational measures to protect personal data against unauthorized access, disclosure, loss, misuse, and alteration.

However, no system or transmission method is completely secure. You should also take your own precautions, including using secure email and protecting access to your own systems.

15. Links to Third-Party Sites and Target Sites

Our Site or Reports may contain links to third-party websites. We are not responsible for the privacy practices of third-party sites.

Similarly, Target Sites submitted for Audit are controlled by their respective operators, not by Sivussa.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, or our practices.

If we make material changes, we will post the updated version on the Site and update the “Last updated” date. Where required, we may also provide notice by email or other appropriate means.

17. Contact

If you have questions about this Privacy Policy or want to exercise your rights, contact:

[email protected]

or write to:

Harri Ahokas
Inglaksenrinne 11 02780 Espoo, Finland