Kaiku

Privacy Policy

Controller

CompanyKaiku Crew Oy

Business ID3520495-1

Addressc/o Reaktor Innovations Oy Yliopistonkatu 4, 00100 Helsinki, Finland

Emailprivacy@kaikucrew.com

Websitehttps://kaikucrew.com

Last updated2026-03-08

Scope and Purpose of This Policy

This privacy policy explains how Kaiku Oy collects, uses, stores, and discloses personal data in connection with our business operations as an AI-powered software development consultancy. This policy applies to:

Clients and client representativesSection 4

Job applicants and recruitment candidatesSection 5

Website visitorsSection 6

Suppliers and business partnersSection 7

Employees and contractorsSection 8

Each category of data subject is addressed separately to ensure clarity about the specific data processing activities relevant to them.

Key Definitions

Term	Definition
Personal data	Any information relating to an identified or identifiable natural person
Processing	Any operation performed on personal data, including collection, storage, use, and deletion
Data controller	The entity that determines the purposes and means of processing personal data
Data processor	An entity that processes personal data on behalf of the controller
Data subject	The identified or identifiable natural person to whom personal data relates
Legal basis	The lawful ground under GDPR Article 6 on which processing is based
Supervisory authority	The Finnish Data Protection Ombudsman (Tietosuojavaltuutettu)

Clients and Client Representatives

4.1 Categories of Personal Data

We process the following categories of personal data relating to our clients and their representatives:

Contact informationname, email address, phone number, job title, company name

Contract and billing datainvoicing details, payment records, VAT number, bank account details

Communication recordscorrespondence via email, Slack, or other communication tools

Project-related datarequirements, feedback, access credentials provided for project work

Technical identifiersIP addresses, login timestamps where clients access shared project tools

4.2 Purposes and Legal Bases

Purpose	Legal Basis (GDPR Art. 6)	Details
Performing contracted services	Art. 6(1)(b) - Contract performance	Delivery of software development, AI engineering, and consulting services as agreed
Invoicing and accounting	Art. 6(1)(c) - Legal obligation	Finnish Accounting Act requires retention of financial records
Client relationship management	Art. 6(1)(f) - Legitimate interest	Maintaining service quality, project history, and ongoing communication
Legal claims and compliance	Art. 6(1)(f) - Legitimate interest	Establishing, exercising, or defending legal claims

4.3 Data Sources

Client personal data is primarily collected directly from clients during contract negotiations, project onboarding, and ongoing communication. We may also receive data from publicly available sources such as company websites or business registries.

4.4 Client Data Processing as a Data Processor

In the course of performing services, Kaiku may access or process personal data controlled by the client. In these situations, Kaiku acts as a data processor under Article 28 GDPR. The processing of such data is governed by a separate Data Processing Agreement (DPA) between Kaiku and the client. This privacy policy does not cover data processed in that capacity.

4.5 Use of AI Tools in Client Projects

Kaiku employs AI-powered development tools (such as large language models and code assistants) to deliver services efficiently. When client project data may be processed by such tools, Kaiku ensures that:

Processing is limited to what is necessary for the contracted services

No client personal data is used for training third-party AI models without explicit authorisation

Appropriate technical and contractual safeguards are in place with AI service providers

Specific details are documented in the relevant Data Processing Agreement

4.6 Retention Period

Client contact and project data is retained for the duration of the contractual relationship and for six (6) years thereafter in accordance with Finnish accounting obligations. Communication records are retained for three (3) years after the end of the engagement unless a longer period is required for legal purposes.

Job Applicants and Recruitment Candidates

5.1 Categories of Personal Data

We process the following categories of personal data relating to job applicants and recruitment candidates:

Identity and contact informationname, email address, phone number, address

Professional profileCV/resume, cover letter, portfolio, work history, education

Assessment datainterview notes, technical assessment results, reference information

Communication recordsapplication correspondence and scheduling

Salary expectations and availability information

5.2 Purposes and Legal Bases

Purpose	Legal Basis (GDPR Art. 6)	Details
Evaluating applications	Art. 6(1)(b) - Pre-contractual steps	Assessing suitability for open or future positions
Communicating with candidates	Art. 6(1)(b) - Pre-contractual steps	Scheduling interviews, providing updates on application status
Maintaining a talent pool	Art. 6(1)(a) - Consent	Retaining candidate profiles for future opportunities (only with explicit consent)
Equal opportunity monitoring	Art. 6(1)(c) - Legal obligation	Compliance with non-discrimination legislation where applicable

5.3 Data Sources

Applicant data is collected directly from candidates through job applications, interviews, and correspondence. With the candidate's knowledge, we may also collect data from publicly available professional profiles (such as LinkedIn or GitHub) and from referees named by the candidate.

5.4 Use of AI in Recruitment

Kaiku may use AI-assisted tools to support the recruitment process, for example to summarise applications or assist in scheduling. When AI tools are used:

No automated decision-making with legal or similarly significant effect is applied without human review

Candidates are informed if AI tools materially influence the selection process

All final hiring decisions are made by human decision-makers

5.5 Retention Period

Application data for unsuccessful candidates is retained for twelve (12) months after the conclusion of the recruitment process, unless the candidate consents to a longer retention period for talent pool purposes. Talent pool data is retained for a maximum of twenty-four (24) months, after which renewed consent is requested. Data relating to hired candidates becomes part of the employment record (see Section 8).

Website Visitors

6.1 Categories of Personal Data

When you visit kaikucrew.com, we may process:

Technical dataIP address, browser type, operating system, device type, screen resolution

Usage datapages visited, time on site, referral source, click patterns

Contact form dataname, email, message content (if you submit a form)

6.2 Purposes and Legal Bases

Purpose	Legal Basis (GDPR Art. 6)	Details
Strictly necessary and security	Art. 6(1)(f) - Legitimate interest	Ensuring the website operates correctly and protecting against misuse
Website functionality	Art. 6(1)(a) - Consent	Allowing the website to operate correctly
Responding to enquiries	Art. 6(1)(b) - Pre-contractual steps	Processing and responding to contact form submissions

6.3 Cookies and Tracking

Our website uses cookies and similar technologies. Strictly necessary cookies are placed without consent as permitted under the ePrivacy Directive. Analytics and marketing cookies are only placed after obtaining your consent through our cookie consent mechanism. You can modify your cookie preferences at any time via the cookie settings on our website.

6.4 Retention Period

Website analytics data is retained in anonymised or pseudonymised form for up to twenty-four (24) months. Contact form submissions are retained for twelve (12) months unless they lead to a client engagement (in which case Section 4 applies).

Suppliers and Business Partners

7.1 Categories of Personal Data

We process contact and billing information for representatives of our suppliers and business partners, including name, email, phone number, company name, role, and invoicing details.

7.2 Purposes and Legal Bases

This data is processed for the performance of contracts with suppliers (Art. 6(1)(b)) and for managing ongoing business relationships under our legitimate interest (Art. 6(1)(f)).

7.3 Retention Period

Supplier data is retained for the duration of the business relationship and for six (6) years thereafter in accordance with Finnish accounting obligations.

Employees and Contractors

Kaiku processes personal data of its employees and contractors for employment administration, payroll, tax compliance, and workplace safety. Detailed information about employee data processing is provided separately in Kaiku's internal Employee Privacy Notice, which is made available to all personnel upon onboarding. Key legal bases include contract performance (Art. 6(1)(b)), legal obligations under Finnish employment and tax legislation (Art. 6(1)(c)), and legitimate interest (Art. 6(1)(f)).

International Data Transfers

Kaiku uses certain service providers that may process personal data outside the European Economic Area (EEA). When personal data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place, including:

European Commission adequacy decisions (e.g. the EU-US Data Privacy Framework for certified US providers)

Standard Contractual Clauses (SCCs) approved by the European Commission

Binding Corporate Rules where applicable

Current third-country transfers may include data processed by cloud infrastructure providers (AWS), productivity tools (Google Workspace, Slack), and AI service providers (Anthropic, OpenAI). A record of sub-processors and applicable transfer mechanisms is maintained and available upon request.

Data Security

Kaiku implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or destruction. These measures include:

Encryption of data in transit (TLS) and at rest

Multi-factor authentication for all business-critical systems

Role-based access controls and principle of least privilege

Regular security reviews and updates

Confidentiality obligations for all personnel

Secure development practices in client projects

Data Processing Agreements with all sub-processors

Your Rights as a Data Subject

Under the GDPR, you have the following rights in relation to your personal data:

Right	Description
Right of access (Art. 15)	You may request confirmation of whether we process your data and obtain a copy of it
Right to rectification (Art. 16)	You may request correction of inaccurate or incomplete personal data
Right to erasure (Art. 17)	You may request deletion of your personal data where there is no compelling reason for continued processing
Right to restriction (Art. 18)	You may request that we restrict processing in certain circumstances
Right to data portability (Art. 20)	You may request your data in a structured, machine-readable format
Right to object (Art. 21)	You may object to processing based on legitimate interest, including direct marketing
Right to withdraw consent	Where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, please contact us at privacy@kaikucrew.com. We will respond to your request within one (1) month. In complex cases, this period may be extended by a further two (2) months, in which case we will inform you of the extension and the reasons for it.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman:

NameOffice of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

AddressLintulahdenkuja 4, 00530 Helsinki, Finland

Emailtietosuoja@om.fi

Websitehttps://tietosuoja.fi/en

Automated Decision-Making and Profiling

Kaiku does not use automated decision-making, including profiling, that produces legal effects or similarly significant effects on data subjects without human involvement. Where AI tools are used in our processes (such as recruitment support or service delivery), a qualified human decision-maker is always involved in any decision that materially affects individuals.

Changes to This Policy

Kaiku may update this privacy policy from time to time to reflect changes in our processing activities, legal requirements, or business operations. Material changes will be communicated through our website and, where appropriate, by direct notification. The latest version of this policy is always available at https://kaikucrew.com/privacy.

The technology partner for forward-looking, AI-powered engineers and companies.

Kaiku Crew Oy / 3520495-1

Yliopistonkatu 4, 00100 Helsinki