KatuParkki Privacy Policy

This Privacy Policy explains how KatuParkki Technologies Oy (“KatuParkki”, “we”, “us”) processes personal data when you use the Service.

1. Data controller and contact details

Controller: KatuParkki Technologies Oy
Business ID (Y-tunnus): 3549503-1
Address: Antinkatu 3 D, 7. krs, 00100 Helsinki, Finland
Contact (privacy requests and questions): support@katuparkki.fi

2. Definitions

• Personal data: information relating to an identified or identifiable natural person.
• Parking operator: the municipality, private operator, landowner, or enforcement party responsible for the parking location’s rules and enforcement.
• ANPR / Camera Parking: Automatic Number Plate Recognition systems that may detect vehicle entry/exit and license plate numbers at certain sites.

3. What personal data we process

3.1 Data you provide to us

• Account, contact, and billing details: phone number (used for one-time passcodes), and (if you provide it or it is needed for payment-related purposes) email address, name, and billing/contact address.
• Vehicle data: license plate number and country code; settings related to Camera Parking enablement.
• Support and communications: messages you send to support, and related correspondence.

3.2 Data we generate or observe when you use the Service

• Parking and transaction data: parking sessions, selected zone/location identifiers, start/stop times, permits (if applicable), receipts, and billing information.
• Payment method metadata: payment method identifiers/tokens and related status (we do not store full card numbers, CVV, or complete card data).
• Device and technical data: device type and OS, app version, IP address, identifiers such as device ID and push notification token, logs necessary for operating and securing the Service.
• Diagnostic and usage data: information about how the Service is used, such as screens viewed, navigation events, taps/clicks, and error events. We may use limited diagnostic recordings of in-app activity, often called “session replay”, to troubleshoot technical issues and improve the reliability of the Service. Such tools are configured to limit the collection of personal data, for example by masking input fields and other identifying information.

3.3 Location data

The app may request foreground location permission to show nearby parking options and help you choose the correct zone. We do not require background location tracking for core app use.

3.4 Data we receive from third parties

• Parking operator / ANPR events: entry/exit events, zone/site identifiers, and license plate reads from camera/garage systems at participating sites.
• Payment status signals from payment providers (for example confirmation that a payment method was saved or a charge succeeded/failed).

4. Why we process your data (purposes and legal bases)

We process personal data for the following purposes and legal bases under GDPR Article 6:

• Provide the Service and fulfill our contract with you (Art. 6(1)(b)): account creation/login via OTP; managing vehicles; starting/stopping sessions; generating receipts; customer support.
• Process payments and billing (Art. 6(1)(b)): enabling payment method setup, charging for parking/permits, generating receipts, handling refunds where applicable, and using billing name and address where needed for payment provider or invoicing requirements.
• Comply with legal obligations (Art. 6(1)(c)): accounting, tax, and other mandatory recordkeeping.
• Ensure security, prevent abuse and fraud, and protect the Service (Art. 6(1)(f)): security logging, rate limiting, device verification/attestation, and fraud detection. This may include automated protective measures such as temporarily blocking suspicious devices or requests.
• Operate and improve the Service (Art. 6(1)(f)): reliability monitoring, debugging, and technical diagnostics (including analysis of error reports and, where used, diagnostic recordings/session replay).

If we rely on consent (Art. 6(1)(a)) for any optional processing (for example certain marketing communications where required), you can withdraw your consent at any time.

5. Recipients of personal data (who we share data with)

We do not sell personal data. We share personal data only when necessary to provide the Service, comply with law, or protect our rights.

5.1 Parking operators and enforcement parties (independent controllers)

Parking operators and enforcement parties typically process data as independent data controllers for their own purposes (such as validating that parking was paid and enforcing parking rules). We may share or exchange information needed to validate parking, such as license plate number, zone/site identifier, and session start/stop times.

5.2 Payment providers

Payments are processed by third-party payment processing service providers. These providers process payment data under their own terms and privacy notices. Where needed to complete or support a payment, refund, fraud prevention, or compliance check, payment-related details may include your name and billing/contact address. KatuParkki receives only the payment metadata needed to operate the Service (for example payment method tokens and status).

5.3 Service providers (processors)

We use trusted third-party service providers to help us operate the Service. These include providers of:

• Cloud hosting and storage services
• SMS and push notification delivery services
• Service monitoring and analytics tools (including tools that may process diagnostic usage data and limited diagnostic recordings to help us troubleshoot technical issues)
• Payment processing services

We may update our service providers over time. We ensure appropriate contractual safeguards for processors where required.

5.4 Authorities and legal recipients

We may disclose information to competent authorities where required by law, or to establish, exercise, or defend legal claims.

6. Location of personal data

Personal data is processed within the EU/EEA, and the infrastructure of the service providers we use is located within the EU/EEA. Any potential access to personal data from outside the EU/EEA (for example technical support by a service provider’s group company) is restricted by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and by necessary supplementary technical and organizational measures.

7. Data retention

We keep personal data only as long as necessary for the purposes described above, unless a longer retention period is required by law (for example accounting obligations) or to handle disputes.

Typical retention periods:

• Account, contact, and billing details: retained while your account is active; deleted or anonymized after account deletion unless retention is required for legal obligations, payment handling, accounting, tax, or disputes.
• Parking history, receipts, invoices, and accounting records: retained for the period required by applicable accounting/tax laws (typically several years).
• Support communications: retained for a limited period to handle your request and follow-ups, unless a longer period is needed due to a dispute or legal claim.
• Security logs and anti-abuse signals (e.g., IP addresses, device identifiers, attestation verdict summaries): retained for a limited period necessary for security and fraud prevention.
• Technical diagnostics data (e.g., error reports, performance metrics, and diagnostic recordings/session replay where used): retained for a limited period (typically days or weeks) to investigate issues and improve reliability.
• Push notification tokens: retained until you revoke permission, the token expires, or your account is deleted.

8. Your rights

Under GDPR and Finnish data protection laws, you have the right to:

• access your personal data
• rectify inaccurate data
• request deletion of your data (subject to legal obligations)
• restrict processing
• data portability (where applicable)
• object to processing based on legitimate interests
• withdraw consent where processing is based on consent

To exercise your rights, contact us at support@katuparkki.fi. We may ask you to verify your identity before acting on your request.

You also have the right to lodge a complaint with the Finnish supervisory authority:
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto): tietosuoja.fi

9. Security

We use appropriate technical and organizational measures to protect personal data, including access controls, monitoring, and encryption in transit where applicable. We regularly assess and improve our safeguards to support the security of the Service and the protection of personal data.

10. Children

The Service is intended for adults due to legal capacity requirements. We do not knowingly collect or process personal data concerning children under 13 years of age (the age threshold under section 5 of the Finnish Data Protection Act 1050/2018 for consent-based processing in information society services). If you notice that a minor has registered for the Service without guardian consent, please contact support@katuparkki.fi.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be made available in the Service and/or on our website, along with an updated “Last updated” date.

Contact

For privacy-related inquiries, contact us at: