Privacy policy

PRIVACY POLICY

Last updated: 19.5.2026

1. Introduction

This Privacy Policy explains how Vext Oy (“we”, “us”, “our”) processes personal data in connection with the Vext ecosystem, which includes:

  • the Vext mobile application
  • the Vext 2.0 connected device (smart cabinet)
  • the Vext website (including e-commerce functionality)
  • the cloud backend infrastructure supporting these services

We are committed to processing personal data in accordance with applicable data protection laws, including Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”).

2. Data Controller Information

The data controller responsible for the processing of personal data is:

Vext Oy

Otakaari 5a, 02150, FINLAND

Email: support@vext.fi

3. Scope of This Policy

This Privacy Policy applies to all personal data processed through:

  • the Vext mobile application
  • the Vext website
  • the Vext connected device
  • backend services and infrastructure

These systems operate together as an integrated IoT ecosystem, where data may flow between device, application, and backend services. 

4. Categories of Personal Data

We process the following categories of personal data:

4.1 Account Data (App and Website)

  • account identifiers (e.g., email address)
  • authentication credentials
  • account-related settings

Website accounts (e-commerce) and app accounts are separate but may be processed within shared backend systems. 

4.2 Customer / Order Data (Website)

Processed via the website environment:

  • name
  • shipping and billing information
  • order history
  • payment-related information (processed by payment providers)

4.3 Device Data (Cabinet)

  • device identifiers
  • firmware version
  • device status
  • connectivity status

4.4 User-Provided Device Configuration Data (App)

  • cabinet name
  • timezone settings
  • lighting schedules
  • brightness levels
  • user-defined configuration settings

4.5 Sensor and Telemetry Data (Cabinet)

  • environmental sensor readings
  • operational status data
  • device telemetry records stored in backend systems

4.6 Usage and Diagnostic Data (App + Backend)

May include:

  • application usage data (such as screens accessed, interaction frequency, and engagement duration)
  • user interaction events (including screen view events and derived analytics metrics)
  • device information (such as device model, operating system version, and application version)
  • approximate location (such as city-level location inferred from IP address or similar metadata)
  • performance and engagement metrics
  • crash logs and diagnostic reports

This data is primarily processed in an aggregated or pseudonymised form where possible and is used to operate, maintain, and improve the Services. 

4.7 Authentication and Session Data

  • login events
  • session tokens
  • authentication logs

4.8 Infrastructure and Log Data

Automatically generated backend logs may include:

  • IP addresses
  • request timestamps
  • request frequency and access patterns used for rate limiting and abuse prevention
  • identifiers used to enforce rate limits (such as account-related identifiers or device-associated identifiers, where applicable)
  • authentication events
  • metadata related to API requests (such as timestamps and IP-related data)
  • database and storage access logs

These logs are generated as part of the backend infrastructure and are necessary to ensure the proper functioning and reliability of the services. This data is used solely for operational and security purposes and is not used for profiling or marketing. 

4.9 Support and Communication Data

  • customer support messages
  • communication records

4.10 Marketing Data (Where Applicable)

  • email address
  • subscription preferences
  • campaign interaction data

5. How Data Is Collected

We collect personal data through:

  • interactions with the mobile application
  • device communication with backend systems
  • website transactions and account activity
  • automatic logging by backend infrastructure
  • communication with customer support

Device and application data are transmitted to backend systems to enable synchronization and operation of the service.

Certain data is collected automatically through the use of the App, Device, and backend infrastructure. This includes technical logs, usage data, and diagnostic information generated by system interactions, device communications, and backend services. 

6. Purposes of Processing

We process personal data for the following purposes:

  • Service Provision and Account Management
    • providing and operating the Vext ecosystem
    • device management, configuration, and control
    • enabling communication between device, application, and backend systems
    • authentication and account management
    • order processing and delivery (website)
  • Security and Reliability
    • system diagnostics, troubleshooting, and service reliability
    • security monitoring, abuse prevention, and ensuring system integrity
    • enforcing technical rate limits to protect services from excessive or abusive requests
  • Analytics and Improvement
    • monitoring and analysing usage of the Services
    • improving performance, reliability, and user experience
    • developing and improving features and functionalities of the Services
  • Business Operations
    • providing customer support
    • sending marketing communications (where applicable and consented)

Device telemetry and configuration data are used to:

  • operate, maintain, and control the connected device
  • enable device functionality and automated processes
  • monitor device performance and detect malfunctions

7. Legal Bases for Processing

We rely on the following legal bases under GDPR:

  • Performance of a contract (Art. 6(1)(b))
    Processing necessary to provide the Vext ecosystem and its core functionalities, including:
    • providing and operating the Vext ecosystem
    • device management, configuration, and control
    • enabling communication between device, application, and backend systems
    • authentication and account management
    • order processing and delivery
    • customer support

  • Legitimate interests (Art. 6(1)(f))
    Processing necessary for our legitimate interests in:
    • ensuring system security, integrity, and abuse prevention
    • maintaining and improving service performance and reliability
    • monitoring and analysing usage of the Services
    • diagnosing technical issues
    • developing and improving features and functionalities
    • enforcing technical rate limits

Where we rely on legitimate interests, we ensure that such interests are not overridden by your fundamental rights and freedoms.

  • Consent (Art. 6(1)(a))
    Processing based on your consent, where required, including:
    • marketing communications
    • analytics or tracking technologies where consent is required under applicable law

You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

  • Legal obligation (Art. 6(1)(c))
    Processing necessary to comply with applicable legal obligations.

8. Data Sharing and Recipients

Personal data may be processed by the following categories of recipients:

Infrastructure Providers

  • backend services
  • underlying cloud infrastructure providers

Service providers that support hosting, analytics, diagnostics, and infrastructure may process Usage and Diagnostic Data, including technical logs and metadata. These providers process data either on our behalf or, where applicable, as independent controllers in accordance with their own privacy terms.

Rate Limiting Providers

  • providers supporting backend protection, abuse prevention, and rate limiting functions

E-commerce Providers

  • providers supporting website operations and order management

Payment Processors

  • payment service providers

     (payment data is processed directly by providers)

Email and Communication Providers

  • providers delivering transactional communications
  • providers supporting marketing communications

Analytics Providers

  • providers supporting website analytics (subject to consent, where applicable)

Legal Authorities

Where required by law or to protect legal rights. 

9. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA), including to:

  • United States
  • Singapore
  • other regions depending on infrastructure providers

Where such transfers occur, appropriate safeguards are applied, which may include:

  • Standard Contractual Clauses (SCCs)
  • adequacy decisions issued by the European Commission

10. Data Retention

We retain personal data only for as long as necessary:

  • Account Data: retained for the duration of the account
  • Device Telemetry Data: retained while linked to an active account
  • Usage Data (Analytics): retained for a minimum of 2 months and up to 14 months. After this period, such data is automatically deleted or aggregated into anonymised statistical data that can no longer be associated with an identifiable individual.
  • Diagnostic Data (Crash Reports and Technical Logs): default diagnostic logs are retained for up to 30 days. Certain required diagnostic logs may be retained for up to 400 days to ensure service reliability, error analysis, and security monitoring. After the applicable retention period, such data is automatically deleted.
  • Infrastructure Logs: retained up to 7 days
  • Rate Limiting and Security Data: retained for a short duration necessary to enforce access limits and prevent misuse (typically minutes to hours)
  • Support Communications: retained for 12 months after last interaction

Backups

Backend systems perform automatic backups retained for up to 7 days.

Deleted data may persist temporarily in backups due to technical limitations and is automatically deleted after the applicable retention period. 

11. Security Measures

We implement appropriate technical and organizational measures, including:

  • encryption of data in transit
  • authentication mechanisms
  • access control within backend systems
  • monitoring of infrastructure logs
  • secure software development practices

No system can guarantee absolute security.

12. User Rights

Under GDPR, users have the right to:

  • access their personal data
  • rectify inaccurate data
  • request deletion of data
  • restrict or object to processing
  • request data portability
  • withdraw consent at any time

Requests can be submitted via the contact details below.

13. Data Deletion and Account Deletion

Users can request deletion of their account:

  • within the mobile application settings (recommended), or
  • by contacting support at support@vext.fi using the same email address associated with the account to be deleted

When contacting support, users should clearly specify whether the request concerns their mobile application account or their website (e-commerce) account, as these accounts are separate.

Using the in-app deletion option is recommended when deleting your mobile application account, as it ensures the request is correctly linked to your account.

Once a deletion request is submitted:

  • we will acknowledge receipt of the request
  • we will require confirmation of the request via email to verify identity

Following confirmation, the account will be deleted without undue delay and no later than one (1) month, unless a longer period is required due to legal or technical constraints.

Deletion of the account results in deletion of associated personal data, subject to limited retention where required by law or for legal claims.

For website (e-commerce) accounts, certain data related to completed orders may be retained where required to comply with legal obligations (such as accounting or tax requirements) or for the establishment, exercise, or defence of legal claims.

Due to technical limitations, some data may persist temporarily in backups or logs before being automatically deleted.

14. Children’s Data

The Vext services are not intended for children without appropriate supervision.

Where required by applicable law, additional safeguards may apply.

15. Cookies and Tracking

The website may use cookies and similar technologies, including:

  • analytics cookies (e.g., Google Analytics, Meta Pixel)
  • essential cookies for website functionality

A consent mechanism (cookie banner) is implemented where required. 

16. Changes to This Policy

We may update this Privacy Policy from time to time.

Where changes materially affect how personal data is processed, users will be notified through one or more of the following:

  • mobile application notifications
  • email
  • website notices

17. Contact Information

For any privacy-related questions or requests:

Email: support@vext.fi