logo

Privacy Policy

Last Updated: November 2025

Effective Date: 1.1.2025

Avlio / VP-Tuote Oy, Business ID 0815330-0, is committed to protecting individuals' personal data and complying with the EU General Data Protection Regulation (GDPR) and applicable financial services regulations. This policy applies to all users of our services, including independent courier workers, B2B and B2C clients, their representatives, and ultimate beneficiaries.

1. Data Controller and Contact Information

Company: Avlio / VP-Tuote Oy

Business ID: 0815330-0

Address: Runeberginkatu 25 A 15, 00100 Helsinki, Finland

Email: development.avlio@gmail.com

Data Protection Officer: development.avlio@gmail.com

2. Purpose of This Policy

This privacy policy explains how we collect, process, store, and protect personal data. It also explains your rights as a data subject and how to exercise them.

3. Personal Data Collection

We collect personal data from the following sources:

  • Directly from the user (e.g., account creation, contracts, communications)
  • Payment and banking service providers
  • Publicly available registries such as population registers, credit reference agencies, and sanction lists
  • Sub-processors and service providers (e.g., Firebase, Google)

Types of Data Collected

  • Basic Information: name, date of birth, nationality, personal identification number
  • Contact Information: email, phone number, address
  • Employment and Earnings Data: earning history, bank account details, platform profiles
  • Financial Data: bank account, payment history
  • Technical Data: IP address, device, browser information, logs
  • Authentication and Login: user IDs, passwords, account activity

4. Purposes of Processing and Legal Bases

PurposeLegal Basis
Provision of services and contract fulfillmentContractual necessity (Art. 6(1)(b) GDPR)
Customer support and service developmentLegitimate interest (Art. 6(1)(f) GDPR)
Marketing and customer profilingConsent and/or legitimate interest
Financial reporting and bookkeepingLegal obligation (Art. 6(1)(c) GDPR)
Fraud prevention, KYC & AMLLegal obligation + legitimate interest

5. KYC, AML and Fraud Prevention

Our services comply with the following procedures:

  • Know Your Customer (KYC): verification of identity and company legitimacy
  • Anti-Money Laundering (AML): monitoring and reporting suspicious transactions
  • Fraud Prevention: AI-based and manual risk detection processes

These actions are based on both contract fulfillment and legal requirements (e.g., Payment Services Act, Anti-Money Laundering Act)

6. Automated Decision-Making and Profiling

  • We may use automated analysis for credit risk, service readiness, and offer assessment
  • You have the right to request manual review of any automated decision
  • Logic and consequences of automated processing will be provided upon request

7. Data Sharing and Sub-Processors

  • Sub-Processors: payment providers (Revolut), hosting and analytics (Firebase, Google)
  • Third Parties: only where legally or contractually required
  • All third-party processing is governed by written agreements and GDPR compliance

8. International Data Transfers

  • Personal data may, in certain circumstances, be transferred outside the EU/EEA
  • We use European Commission-approved standard contractual clauses and other appropriate safeguards

9. Data Security

  • We implement appropriate technical, organizational, and administrative measures
  • Measures protect against unauthorized access, loss, misuse, alteration, and destruction
  • Sub-processors are required to maintain the same level of security

10. Data Retention

  • Data is retained only as long as necessary for the purposes outlined or as required by law
  • Customer data: typically 10 years after end of relationship
  • Potential customer data: typically 2 years from initial contact

11. Data Subject Rights

  • Access: right to view personal data held
  • Rectification: correct inaccurate or incomplete data
  • Erasure: right to be forgotten, unless legal retention obligations exist
  • Restriction of Processing: limit processing under certain conditions
  • Objection: object to processing, including marketing and profiling
  • Data Portability: receive data in machine-readable format and transfer to another controller
  • Withdrawal of Consent: can withdraw consent at any time for processing based solely on consent

Requests can be sent to development.avlio@gmail.com

12. Marketing and Profiling

  • Personal data may be used for marketing and profiling only based on consent or legitimate interest
  • You can always withdraw marketing consent

13. Cookies and Tracking

  • Website uses cookies for analytics and improving user experience
  • Detailed Cookie Policy is provided in a separate document

14. Changes to the Policy

  • We reserve the right to update this policy
  • Latest version is always available on our website

15. Regulatory Authority and Complaints

Finland: Data Protection Ombudsman, Lintulahdenkuja 4, 00530 Helsinki

Phone: +358 29 566 6700

Email: tietosuoja@om.fi

Complaints may also be made in any EU/EEA country

16. Mini-DPA Appendix

  • All sub-processors comply with GDPR requirements
  • Sub-processors may process data only for agreed purposes
  • Data must be returned or deleted at the end of the service agreement