Privacy Policy

Data Controller: Iotera Oy Business ID: 3454475-1 Address: Tanhuankatu 63b, 33560 Tampere, Finland Email: janne@iotera.fi Data Protection Officer: Janne Kaikkonen Email: janne@iotera.fi

We process personal data for the following purposes: • Aggregating and displaying tax data for accounting firm clients — letters, VAT returns, prepayments, income register filings, and tax summaries are retrieved from the Finnish Tax Administration APIs and presented in a centralized view. • User account management and authentication — registration, sign-in, multi-factor authentication, and organization management. • Enabling Suomi.fi authorization management — transmitting authorization data between the accounting firm and the Tax Administration. • Service maintenance, security, and auditing — collecting usage logs, resolving incidents, and fulfilling statutory record-keeping requirements. • Complying with legal obligations — Accounting Act, tax procedure, and GDPR requirements.

Personal data processing is based on the following GDPR legal bases: • Contract (Article 6(1)(b)) — Processing user data is necessary for the performance of the service agreement. Processing accounting firm client data is based on the service agreement between the firm and VeroNavi. • Legal obligation (Article 6(1)(c)) — Collecting and retaining audit logs is required by Suomi.fi authorization terms and the Accounting Act. • Legitimate interest (Article 6(1)(f)) — Ensuring service security, preventing misuse, and improving the service. A legitimate interest balancing test has been conducted. • Consent (Article 6(1)(a)) — Use of cookies for analytics purposes (if applicable). Consent can be withdrawn at any time.

User data (accounting firm employees): • Name (first name, last name) • Email address • Password hash — managed by Keycloak • Organization name, business ID, and address • User role within the organization • Login history and IP addresses Client data (accounting firm clients): • Company name and business ID • Contact person name and details • Suomi.fi authorization data and validity Tax data (from Tax Administration APIs): • Tax letters and notices • VAT returns and decisions • Prepayment decisions and payment status • Income register filings • Tax summaries and decisions Technical data: • IP address, browser type, operating system • Audit logs (who viewed whose data, when) • Session data and cookies

Tax data is financially sensitive, although it does not fall under GDPR Article 9 special categories. The Finnish personal identity code is specially protected under Section 29 of the Finnish Data Protection Act. VeroNavi does not collect or store clients' personal identity codes. Clients are added and tax data is retrieved using the business ID alone. If a personal identity code is entered by mistake, the system rejects it and it is not stored.

Personal data is disclosed or transferred to the following parties: • Finnish Tax Administration — retrieving tax data through mTLS-secured APIs • Suomi.fi / Digital and Population Data Services Agency — authorization management • Hetzner Online GmbH — server infrastructure and authentication service (Keycloak) (Finnish servers). Hetzner provides infrastructure. • PostgreSQL database — hosted in the same infrastructure as the authentication service. A GDPR Article 28 compliant Data Processing Agreement (DPA) has been signed with all processors.

All personal data is processed and stored on servers located within the EU/EEA (Hetzner, Finland). The authentication service (Keycloak) runs in the same infrastructure. Tax data is not transferred outside the EU/EEA. If the legal basis for transfers changes, we will update this policy and notify users accordingly.

• User data — retained as long as the user account is active and 30 days after account deletion. • Client data — retained as long as the client relationship is active. Deleted client data is anonymized within 90 days. • Tax data — retained for the current year + 6 years per the Finnish Accounting Act (1336/1997). • Audit logs — retained for 10 years per Suomi.fi authorization terms and the Accounting Act. • Technical logs — retained for 90 days. • Backups — deleted within 30 days of the original data deletion. After the retention period, data is automatically deleted or irreversibly anonymized.

Under the GDPR, you have the following rights: • Right of access (Article 15) — You can request a copy of all personal data concerning you. • Right to rectification (Article 16) — You can request correction of inaccurate data. • Right to erasure (Article 17) — You can request deletion of your data, unless there is a legal basis for retention. • Right to restriction (Article 18) — You can request restriction of processing in certain situations. • Right to data portability (Article 20) — You can receive your data in a machine-readable format. • Right to object (Article 21) — You can object to processing based on legitimate interest. • Right to withdraw consent — If processing is based on consent, you can withdraw it at any time. Requests should be sent to janne@iotera.fi. We respond to requests within 30 days. Identity is verified before data is disclosed. If you believe your data is processed in violation of data protection legislation, you have the right to file a complaint with the Data Protection Ombudsman: Office of the Data Protection Ombudsman tietosuoja.fi tietosuoja@om.fi

We protect personal data with the following technical and organizational measures: • Encryption in transit (TLS 1.3) for all communications • mTLS authentication for Tax Administration API connections • Role-based access control (RBAC) — users can only see their own organization's data • Comprehensive audit log of all data access and modifications • Database located in the EU with restricted access • Passwords stored as bcrypt hashes (Keycloak) • Automatic session expiration • Regular security audits and vulnerability scanning • Backups encrypted and stored in a separate location

VeroNavi uses the following cookies: Essential cookies (no consent required): • Session cookie — user identification after login (Keycloak JWT) • Language preference — remembering selected language • CSRF protection — form security Essential cookies are necessary for the service to function and cannot be disabled. Analytics cookies are not currently in use. If analytics cookies are introduced, separate consent will be requested.

We reserve the right to update this Privacy Policy. Users will be notified of material changes via email or through the service at least 30 days before the changes take effect. We recommend reviewing this policy regularly.

For data protection inquiries and requests: Iotera Oy Email: janne@iotera.fi Address: Tanhuankatu 63b, 33560 Tampere, Finland We respond to all data protection requests within 30 days.