Last updated: 2026-04-16
This Privacy Policy explains how Preventos Informatics Oy ("we", "us", "our") processes personal data when invited users access and use Preventos Hero (the "App"). We are committed to protecting personal data and complying with the EU General Data Protection Regulation (GDPR).
The App is not publicly available. Access is restricted to invited users from customer organizations.
Preventos Informatics Oy
Email: info@preventos.fi
We process only the personal data necessary to operate the App and authenticate invited users.
These are obtained through Microsoft Entra External ID (CIAM) when your organization or we invite you.
Collected and handled through Microsoft Entra External ID (CIAM):
We do not store passwords.
To ensure full functionality, the App stores:
We do not store personal data in localStorage unless required for core functionality.
If notifications are enabled for your environment (not enabled by default), we may process:
Notifications primarily include alert notifications, but may also include other user-activated notifications (for example, a message that background work has completed). SMS notifications are sent only if the user has explicitly opted in.
| Purpose | Legal Basis |
|---|---|
| Provide access to the App to invited users | Art. 6(1)(b) Contract |
| Authentication via Entra External ID | Art. 6(1)(f) Legitimate interest (secure access control) |
| Manage user accounts and permissions | Art. 6(1)(b) Contract |
| Security, logging, and fraud prevention | Art. 6(1)(f) Legitimate interest |
| Operate and improve the service | Art. 6(1)(f) Legitimate interest |
| Compliance with legal obligations | Art. 6(1)(c) Legal obligation |
| Email notifications (if enabled and necessary for service or security information) | Art. 6(1)(b) Contract |
| SMS notifications (if enabled and user has opted in, or when necessary for requested service delivery) | Art. 6(1)(a) Consent and/or Art. 6(1)(b) Contract |
We do not process personal data for marketing and do not sell personal data.
Used solely for:
These cookies are required for the App to function. Consent is not required under GDPR for essential cookies.
Used for:
LocalStorage is not used for tracking or analytics.
The App does not embed analytics, trackers, ads, or social media plugins.
Used exclusively for secure sign-in and identity verification.
We use the following CDN provider for external fonts, CSS, and JavaScript:
When a resource is loaded from a CDN, the CDN provider may receive your IP address and basic request metadata (such as user agent and referrer). We use only resources required for the UI and do not use these for tracking.
We use the following providers for map tiles and GIS layers:
These requests can disclose your IP address and basic request metadata to the provider. Satellite tiles may be offered only when you explicitly consent in your user profile.
If notifications are enabled, we use:
Email notifications are sent via Microsoft 365, and no separate external email notification provider is used for that purpose.
These services receive only the contact details required to deliver notifications and only when notifications are enabled and configured.
We may share personal data only with:
We do not sell or transfer personal data to third parties for advertising.
Identity data is processed primarily within the EU. In limited cases (such as security operations, diagnostics, or customer support), some data may be transferred outside the EU/EEA. In those cases, we apply appropriate safeguards such as:
You may request a copy of applicable safeguards.
We retain personal data only for as long as necessary to:
After your user account is deleted or your organization's agreement ends, personal data (including notification contact details and records of sent notifications, where applicable) is deleted or anonymized within 30 days, unless a longer retention period is required by law or necessary for establishing, exercising, or defending legal claims.
Technical sign-in log data is retained only as long as needed for information security, troubleshooting, and misuse prevention, and is deleted or anonymized in line with the same timelines unless a longer period is justified for security investigations.
We implement appropriate technical and organizational measures, including:
No method of transmission or storage is completely secure, but we follow best practices for SaaS solutions.
You have the right to:
To exercise your rights, contact info@preventos.fi or your organization's administrator. You may also lodge a complaint with your local Data Protection Authority (DPA).
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman: https://tietosuoja.fi/.
The App is not intended for children under 16 and is provided only to invited business users. We do not knowingly process children's data.
To create and use a user account, you must provide the personal data required for identification and sign-in (such as name and email address). If required data is not provided, account creation and sign-in are not possible.
Notifications (email and/or SMS) are optional and not enabled by default. SMS notifications are sent only for users who have opted in, and consent can be withdrawn at any time through account settings (if available) or by contacting us.
We may update this Privacy Policy when necessary. Updates will be posted in the App, and invited users may be notified if required by law.
For questions regarding this Privacy Policy or GDPR rights:
Preventos Informatics Oy
Email: info@preventos.fi