Privacy Policy

1. Controller and Purpose of This Policy

This Privacy Policy explains how InSoHo Oy (Business ID 3319423-5, registered office Kuopio, Finland) processes personal data in connection with the Venuet service. Data protection questions can be sent to privacy@venuet.io.

InSoHo Oy acts as controller for personal data we process for our own customer relationships, user accounts, billing, support, security and service development. When an operator stores data about its own customers, inquiry senders, event guests or other recipients in Venuet, the operator will usually act as controller and InSoHo Oy as processor. That processing is described in more detail in the Data Processing Agreement.

2. Data We Process

We process data about service users and operators, such as name, email address, phone number, organisation name, role, login and access information, settings, billing information, support requests and service event data.

The service may also contain data about the operator's customers and inquiries, such as recipient name, email address, phone number, event date, guest count, budget, event type, dietary requirements, allergies, billing details, comments, acceptance and signature information, and proposal document content.

We do not store full payment card numbers. Payments are processed by a payment service provider such as Stripe.

3. Purposes of Processing

We use personal data to provide the service, manage user accounts, send proposals and messages, verify acceptances, provide customer support, handle billing and payments, prevent misuse, maintain security, monitor service quality and functionality, and comply with legal obligations.

If the operator enables the AI assistant, WhatsApp integration or another optional feature, we process the data needed to provide that feature. Use of the AI assistant is based on the operator's separate choice in the service.

4. Google Calendar Integration

If an operator connects Google Calendar, Venuet uses the Google Calendar API only to provide the optional calendar sync feature. Venuet retrieves the list of calendars the user can access so the user can choose the target calendar for sync. This is not used to import Google Calendar event contents into Venuet.

Venuet may create, update and remove Venuet-generated venue, proposal and internal-order events in the selected Google calendar. Data sent to Google may include the event title, date and time, status, room or location, guest count, a Venuet link, and a Venuet source identifier so the same event can be updated later without duplicates. For proposal-linked events, the description may also include the recipient email address and owner name where those are part of the event data in Venuet.

The sync is one-way: changes made in Google Calendar are not imported back into Venuet. Venuet uses Google user data only to provide and maintain calendar sync, not for advertising, marketing profiling or training AI models. The Google connection can be disconnected in the service settings; disconnecting removes Google OAuth credentials stored by Venuet, but does not automatically delete events already created in Google Calendar.

5. Legal Bases

Depending on the situation, processing is based on contract, legal obligation, legitimate interest or consent. Contract covers, for example, providing the service, user accounts, billing and support. Legal obligation covers, for example, accounting and regulatory duties.

Legitimate interest covers service security, misuse prevention, technical maintenance, product development and customer relationship management. Consent or a separate opt-in is used where a feature or law requires it, for example for certain optional AI or messaging features.

6. Recipients and Service Providers

We use trusted service providers to deliver the service. These may include payment processors, email services, cloud storage, database and hosting providers, logging and security providers, analytics and marketing measurement providers, and providers of optional features.

Current service providers may include Stripe for payments, Resend for email, Cloudflare R2 for file storage, Neon for database hosting, Vercel for hosting, Google Analytics for analytics, Google (Google Calendar API) for optional calendar sync, Meta Conversions API for marketing and conversion measurement, Anthropic for the AI assistant and Meta for WhatsApp messaging. Not all providers are used for every customer account or every feature. Service providers process personal data under contracts and applicable data protection law.

7. International Transfers

We aim to use services located in the EU/EEA where practical and appropriate for the service. Some providers or their group companies may, however, process personal data outside the EU/EEA, for example in the United States.

Where personal data is transferred outside the EU/EEA, we use applicable transfer mechanisms such as the European Commission's Standard Contractual Clauses, data privacy frameworks or other safeguards under GDPR.

8. Retention

We retain personal data for as long as necessary for the purposes described in this policy. User account and operator service data are usually retained while the customer relationship is active.

When an operator account is closed and a deletion request becomes final, active service data is generally deleted or anonymised within 30 days unless longer retention is necessary for law, legal claims, misuse investigation, security or accounting. Billing and accounting data is retained for the period required by applicable law. Backups expire according to normal backup rotation.

9. Cookies and Similar Technologies

Venuet uses essential cookies and similar technologies for login, session management, security, language preference and ensuring that the service works. These cookies are necessary to use the service.

We may use analytics and marketing measurement technologies on Venuet's website and in the service, such as Google Analytics and Meta Conversions API. These help us measure service usage, campaign performance and conversions, and improve the product. In that context, cookie or event identifiers, browser and device data, page and event data, and IP addresses may be processed. We use non-essential cookies and similar technologies only where enabled and, where required by applicable law, where there is a valid basis such as consent.

10. Your Rights

Under GDPR, you may have the right to access your data, request correction of inaccurate data, request deletion, request restriction of processing, object to processing based on legitimate interest, receive data in a machine-readable format, and withdraw consent where processing is based on consent.

Requests can be sent to privacy@venuet.io. If your request concerns data that Venuet processes on behalf of an operator, we may direct the request to that operator or handle it according to the operator's instructions.

11. Right to Lodge a Complaint

If you believe your personal data has been processed in violation of data protection law, you have the right to lodge a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman.

12. Security

We protect personal data with technical and organisational measures. These include encrypted transmission, access control, role-based permissions, logging, backups, contractual controls for service providers and limiting access to data based on work duties.

No electronic service is completely risk-free. If we detect a personal data breach, we will act according to applicable law and contractual obligations.

13. Changes to This Policy

We may update this Privacy Policy when the service, processing practices or law changes. Material changes will be notified in a reasonable way, for example by email or in the service.