työ.
fien
Get started

Privacy Policy

Last updated: 2026-05-11

Työ (operating under Innovategy Oy, a Finnish limited liability company, business ID issued in Finland; contact [email protected]) provides a WhatsApp-first AI operations layer for small independent local businesses — cafés, restaurants, retailers, workshops, and similar service providers. This policy explains how we process personal data when you interact with the service either as a business operator or as a customer messaging a participating business.

For businesses that subscribe to Työ, the business is the data controller of their customers' and team members' personal data. Innovategy Oy acts as a data processor under a Data Processing Agreement with each business.

What we process

  • Manager profile data: name, email address, phone number, preferred language, declared responsibilities and operational domains. Provided during onboarding.
  • Customer conversation data: phone numbers (E.164 format), message content sent via WhatsApp, language detected per message, and any structured information the customer shares (booking details, order specifics, contact name, preferences such as allergens). Received via Meta's WhatsApp Business Cloud API.
  • Operational data: timestamps, message-delivery identifiers (Meta-issued), session cookies, audit-log entries tracking every consequential action.
  • Authentication data: cryptographically hashed passwords (PBKDF2 with 100,000 iterations), session tokens stored in Redis, two-factor authentication secrets.

Why we process it

Legal bases under the GDPR (Article 6):

  • Contract performance(6.1.b): processing customer messages, bookings, and other inquiries to perform the business's service to the customer.
  • Legitimate interest (6.1.f): operational telemetry, audit logging, fraud and abuse prevention, cross-team coordination, and product improvement. Balancing test documented internally; you may request a copy.
  • Consent (6.1.a): only where explicitly requested, e.g. opting in to marketing communications. We do not currently run consent-based marketing flows.

How long we keep it

  • Conversation transcripts and inferred customer attributes: 90 days by default. Each business may configure a shorter retention. Decisions explicitly flagged as institutional knowledge by the business are retained until the business removes them.
  • Audit-log entries: retained for the lifetime of the customer relationship plus 12 months thereafter, for compliance and forensic needs.
  • Account and authentication data: deleted within 30 days of account termination, except where law requires longer retention (e.g. invoicing records).

Who else handles your data

To deliver the service we rely on a small set of carefully chosen sub-processors. Each is bound by a data processing agreement reflecting GDPR obligations.

  • Meta Platforms Ireland Limited — WhatsApp Business Cloud API. Hosts the messaging transport.
  • Anthropic PBC (United States) — Claude language models (Sonnet 4.6 + Haiku 4.5) for conversation orchestration, language detection, and translation. Subject to Standard Contractual Clauses (SCC) for transfers outside the EEA.
  • Voyage AI (United States)— embedding models for semantic search over the business's institutional memory. Subject to SCC.
  • Cloudflare, Inc. — object storage (Cloudflare R2) for business assets. EU region selected where available.
  • Coolify hosting infrastructure — the underlying servers run in EU jurisdictions.
  • Innovategy Oy internal services — Passbolt (credential vault) and Mosparo (bot protection), both self-hosted in the EU.

International transfers

Some sub-processors (Anthropic, Voyage AI, Cloudflare) operate from the United States. Transfers to these processors are protected by European Commission-approved Standard Contractual Clauses, plus additional technical measures: messages are encrypted in transit, and only the minimum data needed for the specific operation is transmitted.

Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase your data (see the deletion process).
  • Object to processing based on legitimate interest.
  • Restrict processing.
  • Data portability (receive your data in a machine-readable form).
  • Lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, tietosuoja.fi).

To exercise any of these rights, email [email protected]. We respond within 30 days.

Security

Access tokens to third-party APIs (Meta, Anthropic, etc.) are encrypted at rest using AES-256-GCM. Passwords use PBKDF2 with 100,000 iterations. Session cookies are HTTP-only, Secure, and SameSite=lax. All HTTP transport uses TLS. Two-factor authentication is available and required for super-admin destructive actions.

Children

Työ is not directed at children. We do not knowingly collect data from anyone under 16. If you believe a child has interacted with the service, contact us and we will delete the data.

Changes to this policy

We update this policy when our processing changes. Material changes are announced via email to business operators at least 30 days before they take effect.

Contact

Innovategy Oy, Finland. [email protected] for privacy-specific questions. [email protected] for everything else.