Privacy Policy, Vapaus
Updated 19.8.2025
Vapaus Bikes Finland Oy ("Vapaus" or "we") markets and offers carbon negative mobility services, including, without limitation, mobility equipment, commuter bicycles and other related accessories, to its customer companies and/or customer prospects ("Customer") through the Vapaus-managed Vapaus.io platform, available at app.vapaus.io/user (the website, platform and services collectively, the "Service"), which allows Vapaus' Customers and their employees, agents or other persons authorized by the Customer to purchase and manage commuter bicycles and reserve mobility equipment for time- and place-limited mobility.
This Privacy Policy explains how we process information relating to Customers and Service users.
"User" means users of the Service as defined by Vapaus’ Customers. We may update this Privacy Policy as necessary due to changes in the processing of data or for any other reason. For the most up-to-date version, please visit our website. This Privacy Policy applies only to the processing of personal data for which Vapaus is the controller.
1. CONTACT INFORMATION
Company: Vapaus Bikes Finland Oy
Business ID: 2879502-8
Contact in data protection issues:
Vapaus Bikes Finland Oy’s Data Protection Officer Kasper Hannula
Vilhonvuorenkatu 11 C, 00500 Helsinki
kasper@vapaus.io
The Data Protection Ombudsman supervises compliance with regulations governing personal data.
Office of the Data Protection Ombudsman
tel. +358 29 566 6777
tietosuoja@om.fi
2. PERSONAL DATA PROCESSED AND DATA SOURCES
The personal data we collect and process in connection with the implementation and use of the Service and in connection with logging in to the Service can be divided into three main categories: Customer Data, User Data and Analytical Data.
In connection with the marketing and implementation of the Service, Vapaus collects and processes information relating to the Customer and the Customer's contact persons and prospects ("Customer Data"), such as name, telephone number, title, customer number, email address and messages, language preference, customer feedback and satisfaction data, the level and duration of the loyalty benefit program, purchase data for the Service, and the results of market research and opinion polls.
Vapaus collects and processes information about Users who book transportation through the Service ("User Data"), such as name, personal identification number, telephone number, username, password, email address and messages, language preference, address, content provided by the User on the Service (such as feedback or additional information provided by the User about himself/herself), information about the benefit bike (such as taxable value, contract period, bike details), and restrictions and prohibitions related to the User.
We automatically collect and process certain analytics data ("Analytics Data") about your use of the Service through the information systems and technical tools at our disposal, such as IP address, device and device number, browser and browser version used, operating system, internet service provider, device advertising identifier, Customer segmentation, time spent on the Service and times of visits.
We may also collect location data of the vehicle booked and used by the User if the vehicle is equipped by us with location-enabled telematics equipment.
The above-mentioned location data is not collected for benefit bikes.
In principle, Vapaus collects Customer Data directly from Customers and/or Customer Prospectuses.
Vapaus collects User Data in principle directly from Users, either provided by the User, generated by the Service, or based on the use of the Service and/or from Customers.
Vapaus automatically collects Analytics Data based on the use of the Service on our Service. Although we do not normally use Analytics Data to identify natural persons, a User may sometimes be identifiable from it, either alone or in combination or combination with User Data. In these cases, the Analytics Data will be considered personal data for the purposes of applicable law and we will treat the data as personal data.
3. COOKIES
We use various technologies, including cookies, pixel and web beacon technology, to collect and store Customer Data, Analytics Data and other information related to a User's visit to the Service. Cookies may also collect personal data about Customers and/or Users.
Cookies are small text files sent to and stored on the Customer's and/or User's device that enable us to identify visitors to our Service, facilitate visitors' use of the Service, and allow us to compile aggregate information about visitors to our Service. This feedback allows us to improve the functionality of our Service and to monitor and analyse the use of our Service. Cookies do not harm your devices or your files. We use cookies in order to provide our Users with the Service and information that meets their individual needs.
We ask for your consent to the use of cookies that are not strictly necessary to enable the core functionality of our website and to provide the service you request when you visit our website. You can disable cookies at any time by changing your browser settings. Below you will find detailed instructions on how to do this.
The cookies we use may already be Vapaus’ and/or a third party’s cookies and can be categorised as persistent or session cookies. A persistent cookie is a text file that is sent to the Customer's and/or User's device and is permanently stored by the browser used until a specified deletion time (unless the Customer and/or User disables the cookie before the specified deletion time). A session cookie is a text file sent to the Customer's and/or User's device and is stored by the browser used until the end of the session. Cookies are divided into the following four categories. All categories include third-party cookies, which can be used to transfer data to third parties.
Necessary cookies
These cookies are needed to make our website work safely and correctly. Necessary cookies allow you to browse our website and enable us to provide the service you want. Necessary cookies enable basic website functions, such as identifying you and detecting repeated failed login attempts. We do not need your consent to use these cookies, but you can opt out of them by changing your browser settings. However, this will affect the functioning of the website and some essential functions may not work.
Functional cookies
These cookies allow us to use useful features to improve your user experience, such as remembering your login information and preferences.
Analytical cookies
These cookies give us information about how you use our website and allow us to improve your user experience.
Third party cookies
We use third party cookies on our website. Vapaus uses external platforms for digital communication and marketing, including LinkedIn, Youtube, Facebook, Yahoo and Google Ads. These platforms use both first-party and third-party cookies to advertise and track advertising results.
Managing your cookies settings:
As a Customer and/or User, you may accept the use of cookies when visiting the Service's website. You may also pre-block the use of cookies in certain browsers or set your browser to warn you if cookies are attempted to be applied.
For example, the following links provide information on how to change your cookie settings in the most popular browsers:
Please note, however, that some parts of our Service may not function properly if the use of cookies necessary for the functionality of the Service is blocked.
For more information about cookies in general, including how to manage and delete them, please visit www.aboutcookies.org or www.allaboutcookies.org.
Some of the third-party cookies we use are so-called web analytics services and other web analytics tools used by our Service to collect Analytics Data and reports on the use of the Service website (Google Analytics and Leadfeeder). For more information about Google Analytics, please visit the Google Analytics website. You can opt-out of the collection of data by Google Analytics by downloading the Google Analytics opt-out add-on for your browser.
4. Joint Controllership
Vapaus Bikes Finland Oy ("we" or "our") collaborates with Vapaus Bikes Sverige AB located in Sweden to jointly determine the purposes and means of processing personal data collected through our shared platforms and services. This means that both Vapaus Bikes Finland Oy and Vapaus Bikes Sverige AB act as "joint controllers" under the EU General Data Protection Regulation (GDPR).
Data collection and use
Both Vapaus Bikes Finland Oy and Vapaus Bikes Sverige AB determine what personal data is collected and how it is used for purposes such as marketing, analytics and service development.
Legal basis
We ensure that all processing is based on legal grounds in accordance with the GDPR (consent or legitimate interest).
Data subject requests
If you wish to exercise your rights (for example right of access, rectification, erasure, restriction of processing, objection or withdrawal of consent), you may contact either Vapaus Bikes Finland Oy or Vapaus Bikes Sverige AB using the contact details below. We cooperate closely to respond to requests in accordance with GDPR requirements.
Contact information:
Vapaus Bikes Finland Oy
Contact details as in section 1. Our contact information
Vapaus Bikes Sverige AB
c/o Finnish-Swedish Chamber of Commerce
P.O. Box 24103
104 51 Stockholm
kasper@vapaus.io
5. THE PURPOSE AND BASIS OF THE PROCESSING OF PERSONAL DATA
PURPOSES
Vapaus processes the Customer's and User's personal data for the following purposes:
To provide our Service and to fulfil our obligations under contractual relationships.
To provide our Service and to fulfil our obligations under contractual relationships, to comply with our legal obligations, for handeling claims and legal proceedings, for customer communication and marketing purposes, and to improve quality and to analyse usage trends.
Vapaus processes the Customer's and User's personal data in order to provide the Customer and User with the Service in accordance with the agreement
between the Customer and Vapaus. If, as a Customer or User, you contact our customer service, we will use the information you provide to answer questions and resolve any problems you may have.
To comply with our legal obligations:
Vapaus processes the Customer’s and/or User’s personal data to administer and fulfil its legal obligations under EU and/ or member state laws. This includes processing data to comply with accounting obligations and providing information to the relevant authorities, such as tax authorities.
For claims handling and legal proceedings:
Vapaus may process the Customer’s and/or User’s personal data in connection with legal claims, collection and legal proceedings. We may also process data to prevent fraud and misuse of our services and for data, system and network security purposes.
For customer communication and marketing purposes:
Vapaus may process the Customer’s and/or User’s personal data to contact the Customer and/or User in connection with our Service and to notify them of changes to our Service. We also use Customer personal data to market our Service and other relevant services and products to the Customer.
To improve quality and to analyse usage trends:
We may process User information about the use of our Service to improve the quality of our Service, for example, by analyzing various trends related to the use of our Service. We may also use the Customer’s and/or User’s personal data for customer satisfaction surveys to ensure that our Services are performing as desired. Where possible, we will only use aggregated information that does not identify an individual for this purpose.
BASIS
Legal basis for the processing of personal data:
Vapaus processes the Customer’s personal data in order to fulfil its contractual obligations to the Customer.
We process the Customer's and/or User's personal data in order to fulfil our obligations under the contractual relationship. We may also process the Customer's personal data for the purposes of processing credit information, collecting payments and dealing with breaches of contract.
In addition, we process the Customer's and/or User's personal data on the basis of our legitimate interests in order to conduct, maintain and develop our business and to establish and maintain customer relationships. Where we process the Customer’s and/or User’s personal data on the basis of our legitimate interests, we will balance our legitimate interests against the Customer's and/or User's right to privacy and provide our Customers with, for example, easy ways to opt-out of our marketing communications. We will also use pseudonymised or aggregated data from which the User cannot be identified, wherever possible.
We may also process the Customer’s and/or User’s personal data to comply with our legal obligations.
Some parts of our Service may require the User's consent to the processing of personal data. The User may withdraw such consent at any time.
We ask for your consent to the use of cookies that are not strictly necessary to enable the core functionality of our website and to provide the service you request when you visit our website. In this case, the basis for processing is based on consent.
In some situations, we process personal data on the basis of our legitimate interest. In the context of this processing, we have carried out a balancing test under the GDPR to assess whether the interests of the controller or a third party outweigh the rights and freedoms of the data subject. Based on our balancing test, we have concluded that our processing does not undermine the rights and freedoms of the data subject. If you would like more information about the balancing test carried out and its key criteria, please contact us.
6. TRANSFERS TO COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA
The service providers we use may operate in several geographical areas. We and our service providers may transfer personal data to, or have access to it in, countries outside the European Economic Area or your country of residence. By submitting your data and using our Service, you agree that we may transfer your personal data outside the European Economic Area and your country of residence to the extent necessary to provide the service and to the extent permitted by law.
We take steps to ensure that your personal data is adequately protected where your personal data is processed. Contracts for the processing of personal data are constantly updated to comply with the applicable legislation in force. If personal data would be transferred or stored in the USA, personal data would only be transferred or stored to/with such parties, which are committed to comply with the Data Privacy Framework between EU and USA. Such transfers or storage would be conducted in a way, that we would ensure an adequate level of data protection through agreements based on the Standard Contractual Clauses on data protection approved by the European Commission.
For more information on transfers of personal data and standard contractual clauses, please contact us using the contact details above.
7. RECIPIENTS
We will share your personal data with third parties, such as our partners, affiliates and service providers, only to the extent reasonably necessary for the purposes of this Privacy Policy or to establish, exercise or defend a legal claim relating to the Service. We may also disclose your personal data to public authorities if we are required to do so by law.
To the extent that third parties need access to personal data in order to perform the Service, we may transfer personal data to such third parties. Such third parties include, but are not limited to, payment service providers, affiliates, sales and marketing service providers, data storage and service providers, and competent authorities.
Where third parties process data on behalf of Vapaus, Vapaus has taken appropriate contractual and organisational measures to ensure that the processing of personal data is carried out solely for the purposes set out in this Privacy Policy and in accordance with applicable laws, regulations and our instructions, subject to appropriate confidentiality obligations and security measures.
Where the User discloses personal data directly to a third party, for example through a link on our website, the processing of personal data will normally be based on that third party's own privacy policy and processing principles.
For legal reasons:
We may disclose personal data to third parties outside our organization if access to and use of the personal data is reasonably necessary (i) to comply with any applicable law, regulation and/or court order; (ii) to detect, prevent and address fraud, crime or security or technical issues; and/or (iii) to protect the interests or property of Vapaus, the Customer or the User or to ensure security or protect the public interest in accordance with law. Where possible, we will notify the Customer and/or User of such transfer and processing.
For other legitimate reasons:
If Vapaus is a party to a merger, asset deal or other acquisition, we may disclose personal data to a third party involved in that acquisition. However, we will ensure that all personal data remains confidential. In such a case, we will notify of the transfer as soon as reasonably possible to the Customers and/or Users whose personal data is affected by the transfer or whose personal data will be subject to a different privacy policy.
With your explicit consent:
We may disclose personal data to third parties outside of Vapaus where we have the express consent of the Customer and/or User. You have the right to withdraw your consent at any time.
8. RETENTION PERIOD
Vapaus will not retain personal data for longer than the maximum period permitted by law and only for as long as is necessary for the purposes of this Privacy Policy. The retention period depends on the nature of the data and the purpose of the processing. The maximum retention period may therefore vary from case to case.
Most personal data relating to a data subject's User account will be deleted within 90 days after the data subject has deleted their account. Thereafter, we may retain some personal data for as long as we are required to do so by law or have a legitimate reason to retain the data, for example, for claims processing, accounting, internal reporting or dispute resolution purposes. All personal data relating to a User's account will be anonymized or destroyed within ten (10) years after the User has deleted their account related to the Service, unless longer retention is exceptionally necessary, for example, for legal proceedings.
Without prejudice to Section 3 of this Privacy Policy, we will retain Analytics Data relating to Users for twenty-six (26) months from the date of the User's visit to our Service.
9. YOUR RIGHTS
Right of access:
As a Customer and/or User, you have the right to access and obtain information about the personal data we process about you. Customers and Users have the possibility to access certain Customer and User Data through their user account. You have the right to request a copy of your personal data from us.
Right to withdraw consent:
Where processing is based on consent given by the User, the User may withdraw consent at any time. Withdrawal of consent may limit the User's ability to use the Service. Withdrawal of consent does not affect the legitimacy of the processing of personal data that we processed prior to the withdrawal.
Right to rectification:
As a Customer and/or User, you have the right to require us to rectify or complete any inaccurate or outdated personal data we hold by contacting us. Customers and/or Users may rectify or update some of their personal data relating to them through their user account.
Right to erasure:
As a Customer and/or User, you may request us to erase your personal data from our systems. We will comply with your request if we have no legitimate reason not to erase your data.
Right to object:
As a Customer and/or User, you may object to the processing of your personal data where the data is processed for purposes other than to provide our Service or to comply with our legal obligations. However, objecting may limit your ability to use our Service.
Right to restriction of processing:
As a Customer and/or User, you may request us to restrict the processing of your personal data, for example, where your request for erasure, rectification or objection is pending and/or where we do not have legitimate grounds to process your data. However, this may limit your ability to use our Service.
Right to data portability:
As a Customer and/or User, you have the right to receive your personal data from us in a structured and commonly used format and the right to transfer the data independently to a third party.
The right not to be subject to automated decision-making:
We do not make decisions based solely on automated processing that would affect an Customer’s and/or User's rights or obligations in a material way. Any personal data processing processes will be developed in such a way that they do not involve decisions of legal or contractual significance without human involvement. If we subsequently decide to use automated decision-making, we will inform you of this separately and ensure that you still have the right to request a review and human assessment if a decision is based partly or wholly on automated processing.
Exercise of rights:
The above-mentioned rights may be exercised by sending a letter or email to the above-mentioned addresses containing the following information: full name, address, email address and telephone number. We may request additional information necessary to prove the identity of the Customer and/or User. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded or for any other legal reason.
10. DIRECT MARKETING
The Customer and/or User has the right to prohibit us from using Customer Data and/or User Data for direct marketing, market research and profiling for direct marketing purposes by contacting us using the contact details provided above or by using the unsubscribe option provided in direct marketing messages.
11. LODGING A COMPLAINT
If the Customer and/or User considers that our processing of personal data is in breach of applicable data protection legislation, they may lodge a complaint with the local supervisory authority. The local supervisory authority in Finland is the Data Protection Ombudsman (www.tietosuoja.fi).
12. INFORMATION SECURITY
We use administrative, organisational, technical and physical safeguards to protect the personal data we collect and process. The measures we use include data encryption, pseudonymisation, firewalls, secure facilities and systems protected by limited access rights. Our security measures are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and recoverability. We regularly test our Service, systems and other hardware for vulnerabilities.
If, despite our security measures, a data breach occurs that is likely to have an adverse effect on the privacy of Customers and/or Users, we will notify the relevant Customers and/or Users and other affected parties as required by applicable law and, where required by applicable data protection legislation, the authorities as soon as possible. The notification to the Office of the Data Protection Ombudsman will be made at the latest within 72 hours of the discovery of the breach, as required by law, where the breach may pose a risk to the rights or freedoms of natural persons.
13. PROCESSING OF CREDIT DATA IN THE CONTEXT OF CONSUMER CONTRACTS
Collection and use of credit data
Vapaus processes credit data in connection with Jengi consumer contracts in order to assess the Customer's/User's creditworthiness and ability to pay before entering into a long-term rental contract.
Credit data processed
We may process the following credit information:
- Positive credit information from the Positive Credit Information Register (Law 739/2022), including information on existing credit, credit amounts and payment history
- Payment default information from credit reference agencies
- Income data from the Incomes Register, if applicable
- Other information related to the assessment of creditworthiness
Legal basis for processing
The processing of credit data can be based on:
- The obligation under the Consumer Protection Act to assess the consumer's creditworthiness before granting consumer credit (Chapter 7 of the Consumer Credit Act)
- Legitimate interest (GDPR 6(1)(f)) to assess the contracting party's ability to pay in order to minimise contractual risk
- For the performance of the contract (GDPR 6(1)(b)), where the creditworthiness assessment is necessary for the conclusion of the contract
Data sources
Credit information can be obtained from the following sources:
- Positive credit information register (Tax Administration)
- Credit reference agencies (e.g. Suomen Asiakastieto Oy)
- Incomes Register, if applicable
- Information provided by the Customer