PRIVACY POLICY

Of What to Do Applications Oy

Updated 18.08.2025

What to Do Applications Oy is committed to complying with and processing personal data in accordance with applicable data protection legislation.

Data protection legislation refers to the applicable data protection laws, such as the General Data Protection Regulation of the European Union (2016/679) and the Data Protection Act (5.12.2018/1050). Terms related to data protection not defined in this privacy policy are interpreted in accordance with data protection legislation.

Data Controller

What to Do Applications Oy (Y-3500736-8)

D&B 36-920-8456

Finland

support@wtda.fi

Here in after “Data Controller”

Contact Person

Tuomo Erkinharju, Data Protection Officer

tuomo.erkinharju@wtda.fi

Personal Data Registers Maintained by the Data Controller

• User Register
• Payment Information Registers

Purpose and Legal Basis for Processing Personal Data

The Data Controller processes personal data on several legal grounds. The primary purpose of processing personal data is the maintenance of the user register, protection of the Data Controller’s legitimate interests, safeguarding of the Data Controller and its users, and fulfillment of contractual and statutory obligations

The primary legal bases for processing personal data are the consent of the data subject, a contractual relationship, or the legitimate interest of the Data Controller.

Processed Personal Data

Information stored in the registers may include, for example:

• Name
• Phone number
• Email address
• Photos

We use google analytics to collect data about the usage of our website and application. The data collected includes, for example:

• The pages visited
• The browser and device type
• Referring websites
• Approximate location based on timezone and browser language settings
• Time of visit and duration

Regular Data Sources

Personal data is primarily collected directly from the data subjects, for example, during membership registration and event sign-ups.

Contact information of representatives of companies and other organizations can also be collected from public sources such as websites, directory services, and other organizations.

Data Processors and Disclosure of Personal Data to Third Parties

Personal data is primarily processed by the Data Controller’s board and employees.

External data systems may also be used for processing personal data. In such cases, the Data Controller ensures that the data is handled confidentially and in compliance with applicable data protection legislation.

The Data Controller uses the following external services and systems for the processing of personal data:

• Firebase, provided by Google LLC. The service is used for backend infrastructure, authentication, and cloud database functionalities. Personal data is processed in accordance with Google’s privacy policy, available at https://policies.google.com/privacy.
  
  
• Google Analytics, provided by Google LLC. The service is used for application usage analytics and performance monitoring. Personal data is processed in accordance with Google’s privacy policy, available at https://policies.google.com/privacy.
  
  
• Google / Google Play, provided by Google LLC. The service is used for application distribution and in-app purchases on Android devices. Personal data is processed in accordance with Google’s privacy policy, available at https://policies.google.com/privacy.
  
  
• Apple / App Store, provided by Apple Inc. The service is used for application distribution and in-app purchases on iOS devices. Personal data is processed in accordance with Apple’s privacy policy, available at https://www.apple.com/legal/privacy/.
  
  

Data is not regularly disclosed to other parties than mentioned above. Data may be published to the extent agreed with the data subject.

‍

The Data Controller may also disclose personal data to competent authorities when required by law or when involved in legal proceedings or similar processes. In the event of an association merger or similar arrangement, personal data may also be disclosed.

‍

The Data Controller complies with applicable data protection legislation when disclosing personal data.

Transfer of Personal Data Outside the EEA

Personal data is primarily processed within the European Economic Area (“EEA”). If personal data is processed outside the EEA and the European Commission has not issued an adequacy decision on the level of data protection, the transfer is carried out in accordance with the European Commission’s standard contractual clauses (2021/3974/EU, as amended).

‍

Subcontractors or servers used by the Data Controller may be located outside the EEA. In such cases, the Data Controller ensures the lawfulness of data transfers and adequate safeguards, for example, by using the European Commission’s standard contractual clauses. For example, services such as Google Workspace or Firebase may involve the transfer of personal data outside the EEA. These transfers are subject to the European Commission’s standard contractual clauses.

Data Protection and Retention

Care is taken when processing the register, and data processed through information systems is appropriately protected. Register data is stored on internet servers, and the physical and digital security of their hardware is appropriately maintained. The Data Controller ensures that stored data, server access rights, and other critical personal data security information are handled confidentially and only by those whose job descriptions include it.

‍

The Data Controller retains personal data only for as long and to the extent necessary for the purposes defined in this privacy policy or as required by contracts or legislation. Retention periods vary depending on the purpose of use and situation; additional information on retention periods is available upon request. The Data Controller also strives to update registered data proactively from time to time.

General Rights of the Data Subject

The Data Controller adheres to the rights guaranteed to the data subject by data protection legislation. The applicability of these rights depends on the specific circumstances and purpose of personal data processing.

‍

The data subject has:

• The right to access data
  The data subject has the right to obtain confirmation as to whether personal data are processed by the controller and to have access to the data. The data subject has the right to obtain a copy of the personal data and to receive information on the processing of personal data as defined in the data protection legislation.
• The right to withdraw consent
  Where the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw consent.  
• The right to rectify data
  The data subject has the right to obtain the rectification of inaccurate or incorrect personal data and the completion of incomplete personal data.
• The right to erasure of data and to be forgotten
  The data subject has the right to have personal data erased in accordance with data protection legislation. The Data Controller may refuse this request if it has a legitimate reason to retain the data.
• The right to restrict data processing
  The data subject has the right to request restriction of the processing of personal data under the conditions laid down in data protection legislation.
• The right to data portability
  The data subject has the right to have personal data transferred to another controller, where technically feasible, in accordance with the conditions laid down in data protection legislation. This right applies where personal data are processed automatically, where personal data are processed on the basis of consent or contract, where the data concern the data subject and are provided by the data subject, and where the transfer does not adversely affect the rights of third parties.
• The right to object to data processing and avoid automated decision-making
  The data subject has the right to object to the processing of personal data on the basis of legitimate interests, subject to the conditions laid down in data protection legislation. However, the controller has the right to refuse a request where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by third parties. The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling. However, the controller has the right to refuse the request in accordance with the applicable exceptions in data protection legislation. The data subject always has the right to object to the processing of personal data for direct marketing purposes.

Exercising Rights

The data subject can make requests regarding their rights via email to the data protection officer’s email address listed above. Requests must include the data subject’s name, email address, and phone number. The Data Controller verifies the data subject’s identity with a copy of an identity document (such as a passport or driver’s license). The Data Controller responds within a reasonable time.

The data subject can always contact the competent data protection authority if they believe their data is being processed in violation of data protection legislation.

Updating the Privacy Policy

The Data Controller updates this privacy policy as needed, for example, when legislation changes. Data subjects are informed directly of changes affecting the Data Controller's privacy practices, and it is advisable to review this privacy policy periodically.

You can reach our customer support team by emailing support@wtda.fi