Privacy Policy for Preventos Hero

Last updated: 2026-02-25

This Privacy Policy explains how Preventos Informatics Oy ("we", "us", "our") processes personal data when invited users access and use Preventos Hero (the "App"). We are committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR).

The App is not publicly available. Access is restricted to invited users from customer organizations.

1. Data Controller

Preventos Informatics Oy
Address: Hannunpolku 22, 70870 Hiltulanlahti, Finland
Email: info@preventos.fi

2. Personal Data We Process

We process only the personal data necessary to operate the App and authenticate invited users.

a) Data from your identity provider (IdP)

Display name
Email address

These are obtained through Microsoft Entra External ID (CIAM) when your organization or we invite you.

b) Authentication data

Collected and handled through Microsoft Entra External ID (CIAM):

Identity tokens
Email One-Time Password (OTP), depending on your tenant's configuration
Guest invitation metadata

We do not store passwords.

c) Automatically collected technical data

Device type, browser type, operating system
IP address
Login timestamps
Usage and performance logs (for security and troubleshooting)

d) Local device storage

To ensure full functionality, the App stores:

Login session cookie (essential for authentication)
Non-personal configuration data in localStorage

We do not store personal data in localStorage unless required for core functionality.

3. Purposes and Legal Bases (GDPR Art. 6)

Purpose	Legal Basis
Provide access to the App to invited users	Art. 6(1)(b) Contract
Authentication via Entra External ID	Art. 6(1)(f) Legitimate interest (secure access control)
Manage user accounts and permissions	Art. 6(1)(b) Contract
Security, logging, and fraud prevention	Art. 6(1)(f) Legitimate interest
Operate and improve the service	Art. 6(1)(f) Legitimate interest
Compliance with legal obligations	Art. 6(1)(c) Legal obligation

We do not process personal data for marketing and do not sell personal data.

4. Cookies and Local Storage

Essential cookies

Used solely for:

Maintaining your login session
Ensuring secure access

These cookies are required for the App to function. Consent is not required under GDPR for essential cookies.

LocalStorage

Used for:

App UI preferences
Non-personal operational data

LocalStorage is not used for tracking or analytics.

5. Third-Party Services and External Resources

The App does not embed analytics, trackers, ads, or social media plugins.

a) Authentication provider

Microsoft Entra External ID (CIAM)

Used exclusively for secure sign-in and identity verification.

b) External fonts, CSS, and JavaScript

We use the following CDN provider for external fonts, CSS, and JavaScript:

jsDelivr

When a resource is loaded from a CDN, the CDN provider may receive your IP address and basic request metadata (such as user agent and referrer). We use only resources required for the UI and do not use these for tracking.

c) Map tiles and GIS services

We use the following providers for map tiles and GIS layers:

OpenStreetMap (street map tiles)
Esri (satellite imagery tiles)
Maanmittauslaitos (NLS Finland) via WMS for cadastral layers

These requests can disclose your IP address and basic request metadata to the provider. Satellite tiles may be offered only when you explicitly consent in your user profile.

6. Data Sharing and Disclosure

We may share personal data only with:

Microsoft (for Entra External ID authentication)
Service providers supporting hosting and infrastructure
Your employer or the organization that invited you (if necessary for account management)

We do not sell or transfer personal data to third parties for advertising.

7. International Data Transfers

If personal data is transferred outside the EU/EEA, we ensure appropriate safeguards such as:

European Commission adequacy decisions
Standard Contractual Clauses (SCCs)

You may request a copy of applicable safeguards.

8. Data Retention

We retain personal data only for as long as necessary to:

Provide the App
Manage user accounts
Comply with legal obligations
Resolve disputes

If an organization removes a guest user or access is revoked, personal data is deleted or anonymized in accordance with our retention policy.

9. Security Measures

We implement appropriate technical and organizational measures, including:

Entra External ID secure authentication
Encryption in transit
Role-based access control
Logging and monitoring

No method of transmission or storage is completely secure, but we follow best practices for SaaS solutions.

10. Your GDPR Rights

You have the right to:

Access — See what personal data we have about you
Rectify — Correct inaccurate data
Erasure — Request deletion (right to be forgotten)
Restriction — Restrict or object to processing
Portability — Receive your data in a portable format
Withdraw consent — Withdraw consent (if processing is based on consent)

To exercise your rights, contact info@preventos.fi or your organization's administrator. You may also lodge a complaint with your local Data Protection Authority (DPA).

11. Children's Data

The App is not intended for children under 16 and is provided only to invited business users. We do not knowingly process children's data.

12. Changes to This Privacy Policy

We may update this Privacy Policy when necessary. Updates will be posted in the App, and invited users may be notified if required by law.

13. Contact Us

For questions regarding this Privacy Policy or GDPR rights:

Preventos Informatics Oy
Email: info@preventos.fi