This Privacy Policy explains how Kasvu Labs Oy (the“Company”) collects, uses, discloses, stores, and otherwise processes personal data in connection with Kasvu Discovery (the “Platform”), the Company’s research-focused digital tool.
The Company is committed to handling personal data responsibly, transparently, and in accordance with applicable data protection laws. This Privacy Policy is intended for users of the Platform, customer representatives, research collaborators, website visitors interacting with the Platform environment, and other individuals whose personal data may be processed in connection with the Platform.
1. Who is responsible for processing personal data
For the purposes of this Privacy Policy, Company means the Kasvu Labs legal entity responsible for the relevant processing activity.
Where the Company acts as a controller, it decides why and how personal data is processed. Where the Company acts as a processor, it processes personal data on behalf of a customer, research organisation, or other controller in accordance with applicable contractual arrangements. In some collaboration contexts, the Company and another organisation may each have their own independent responsibilities, or may jointly determine certain aspects of processing.
If you have questions about this Privacy Policy or about the Company’s privacy practices, you may contact:
Privacy contact: privacy@kasvulabs.com
Support contact: support@kasvulabs.com
Postal address: Aukustinkuja 13, 33710 Tampere, Finland
2. Scope of this Privacy Policy
This Privacy Policy applies to personal data processed in connection with:
| Processing context | Examples |
|---|---|
| Platform account and access management | User registration, login, authentication, user profile management |
| Platform operation and support | Technical support, service communications, troubleshooting, product maintenance |
| Customer and business relationship management | Contracting, billing contacts, service administration, account management |
| Platform usage and security | Logs, security monitoring, performance monitoring, fraud and misuse prevention |
| Research and data-enabled functionality | Search, analysis, workflow support, research collaboration features, user-submitted content or inputs |
| Legal and compliance matters | Responding to requests, enforcing terms, protecting rights, meeting legal obligations |
This Privacy Policy does not necessarily apply to third-party systems, datasets, websites, or services that are linked to or accessed through the Platform but governed by separate privacy documentation.
3. What personal data we may process
Depending on how the Platform is used and the relationship involved, the Company may process the following categories of personal data:
| Category of personal data | Examples |
|---|---|
| Account and identity data | Name, username, professional title, organisation, login credentials or authentication identifiers |
| Contact data | Email address, telephone number, business address, support correspondence details |
| Customer and relationship data | Organisation name, account ownership details, contract-related details, billing contact information |
| Technical and device data | IP address, browser type, operating system, device identifiers, session data |
| Usage and log data | Access times, feature usage, clickstream information, audit logs, troubleshooting logs |
| User-submitted content | Queries, search inputs, uploaded files, comments, workflow inputs, research-related submissions |
| Communications data | Messages sent through support channels, meeting notes, feedback, service inquiries |
| Compliance and security data | Access-control records, incident-related records, abuse-prevention records, legal request records |
The Company does not seek to collect more personal data than is reasonably necessary for the relevant purpose.
4. Special-category and research-related data
Because the Platform is designed for research-focused use cases, certain workflows may involve data that is more sensitive in nature, including data connected to health, genetics, scientific research, or other regulated contexts.
The Company does not state in this Privacy Policy that all Platform use necessarily involves special-category personal data. However, where a customer, research organisation, collaborator, or authorised user chooses to use the Platform in a way that includes special-category or other regulated data, such processing will be handled only in the relevant permitted context, subject to applicable law, appropriate contractual arrangements, access controls, and role allocation.
Where required by law, the Company will rely on an appropriate legal basis and, where applicable, an additional condition for processing sensitive data. The precise legal framework may depend on the relevant use case, the role of the Company, the source of the data, and the jurisdiction involved.
5. How we collect personal data
The Company may collect personal data:
| Source | Description |
|---|---|
| Directly from you | When you create an account, contact support, request a demo, communicate with us, or otherwise interact with the Platform |
| From your organisation | When a customer, employer, research institution, or other authorised organisation provides user details or account information |
| Automatically through the Platform | Through system logs, authentication events, cookies or similar technologies where applicable, and security monitoring tools |
| From third parties | From service providers, collaborators, publicly available sources, or licensed / authorised data sources where relevant and lawful |
6. Why we process personal data
The Company may process personal data for the following purposes:
| Purpose | Examples |
|---|---|
| To provide and administer the Platform | Creating and managing user accounts, enabling access, maintaining platform functionality |
| To support users and customers | Responding to support requests, troubleshooting, communicating about service matters |
| To secure the Platform and prevent misuse | Monitoring access, detecting abuse, maintaining system integrity, investigating suspicious activity |
| To manage customer relationships | Contract administration, service communications, onboarding, renewals, business contact management |
| To improve the Platform | Evaluating performance, understanding how features are used, improving usability, reliability, and security |
| To support research-related workflows | Enabling searches, analysis, workflow support, and related functionality within the Platform environment |
| To comply with legal obligations and protect rights | Meeting legal requirements, handling requests, resolving disputes, enforcing rights and terms |
7. Legal bases for processing
Where the Company acts as a controller, it processes personal data on one or more of the following legal bases, depending on the specific context:
| Legal basis | Typical use cases |
|---|---|
| Performance of a contract | Providing access to the Platform, administering accounts, delivering support or contracted services |
| Legitimate interests | Securing the Platform, improving functionality, managing business relationships, preventing misuse, internal administration |
| Compliance with legal obligations | Keeping required records, responding to lawful requests, meeting regulatory obligations |
| Consent, where applicable | Processing that specifically requires consent under applicable law |
Where the Company processes personal data on behalf of a customer or another controller, the legal basis for the underlying processing may be determined by that controller, while the Company acts under contractual instructions and applicable law.
8. When the Company acts as processor
In some Platform contexts, the Company may process personal data only on behalf of a customer, research institution, or other organisation that determines the purposes of processing.
In such cases, that organisation is primarily responsible for identifying the legal basis for the processing, providing any required notices to data subjects, and ensuring that the relevant use of the Platform is authorised. The Company will process such personal data in accordance with applicable agreements, documented instructions, and relevant legal obligations.
9. Disclosure of personal data
The Company may disclose personal data to the following categories of recipients where relevant and appropriate:
| Recipient category | Why disclosure may occur |
|---|---|
| Service providers and infrastructure providers | Hosting, authentication, communications, analytics, support tooling, security operations, technical maintenance |
| Professional advisers | Legal, audit, compliance, or other professional support where necessary |
| Affiliates or group entities | Internal administration, support, governance, or service delivery where relevant |
| Customers, collaborators, or authorised users | Where necessary for the functioning of the Platform or the relevant customer or research relationship |
| Authorities or third parties where required by law | Compliance with legal obligations, protection of rights, response to lawful requests |
The Company does not sell personal data as that term is commonly understood in privacy law.
10. Third-party processors and sub-processors currently in use
The Company may use third-party service providers, infrastructure providers, and, where relevant, sub-processors to support the operation, delivery, security, communications, payment handling, storage, observability, and improvement of the Platform. Depending on the processing context, these providers may process personal data on the Company’s behalf or support the Company’s processing environment in another service-provider capacity.
The processors and service providers currently in use include the following:
| Provider | Typical role |
|---|---|
| Anthropic | LLM inference for chat and agent functionality |
| Google (Gemini) | Sub-agent LLM inference |
| Resend | Transactional email delivery |
| Stripe | Billing and payment processing |
| Neon | Postgres database hosting |
| Hetzner / S3-compatible object storage | Storage of file attachments at rest |
| Tavily | Web search functionality |
| Langfuse | LLM observability and tracing |
| AgentMail | Email inbox infrastructure for invite and email-related flows |
| Linear | Issue tracking, where user-submitted support or feedback content is stored there |
The specific providers used, and the role they play, may change over time as the Platform evolves. Where required by applicable law, the Company will maintain appropriate contractual safeguards with relevant providers and update this Privacy Policy or otherwise provide notice where appropriate.
11. International transfers
The Company may process or make personal data available across jurisdictions where necessary for the operation, support, security, or administration of the Platform.
Where personal data is transferred internationally, the Company seeks to implement appropriate safeguards required under applicable law. The specific transfer mechanism may depend on the relevant entities, systems, vendors, and countries involved.
12. Retention
The Company retains personal data only for as long as reasonably necessary for the relevant purpose, including to provide the Platform, maintain security, comply with legal obligations, resolve disputes, and enforce agreements.
Retention periods may differ depending on the nature of the data, the role of the Company, the applicable contractual context, and legal requirements. Where precise periods are not fixed in this Privacy Policy, the Company applies a need-based and compliance-based retention approach.
13. Security
The Company uses appropriate technical and organisational measures designed to protect personal data against unauthorised access, unlawful processing, accidental loss, destruction, or damage.
These measures may include access controls, authentication controls, logging, monitoring, encryption where appropriate, environment segregation, confidentiality controls, and governance processes appropriate to the nature of the Platform and the relevant processing context.
No digital environment can be guaranteed to be completely secure in all circumstances. However, the Company takes security seriously and works to maintain a level of protection appropriate to the risk.
14. Your rights
Depending on the applicable law and the relevant processing context, you may have rights in relation to your personal data. These may include the right to:
| Right | Description |
|---|---|
| Access | Request information about personal data processed about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of data in certain circumstances |
| Restriction | Request restriction of processing in certain cases |
| Objection | Object to certain processing based on legitimate interests |
| Data portability | Request transfer of certain data where applicable |
| Withdraw consent | Withdraw consent where processing is based on consent |
| Complain to a supervisory authority | Lodge a complaint with the relevant authority if you believe your rights have been violated |
If the Company acts only as a processor for the relevant data, it may need to redirect your request to the relevant controller.
To exercise your rights, please contact: privacy@kasvulabs.com.
15. Cookies and similar technologies
The Platform and related digital environments may use cookies or similar technologies for authentication, security, technical functionality, analytics, or user-preference purposes where applicable.
Where required by law, additional cookie information or consent mechanisms may be provided separately.
16. Children
The Platform is intended for professional, research, institutional, or business use. It is not intended for direct use by children as a consumer service.
17. Changes to this Privacy Policy
The Company may update this Privacy Policy from time to time to reflect changes in the Platform, legal requirements, operational practices, or product development.
Where appropriate, the Company will publish the updated version through the Platform or by other appropriate means. The Effective date at the top of this Privacy Policy indicates when this version took effect.
18. Contact us
If you have questions about this Privacy Policy or about how personal data is handled in connection with the Platform, please contact:
Company: Kasvu Labs Oy
Privacy contact: privacy@kasvulabs.com
Support contact: support@kasvulabs.com
Address: Aukustinkuja 13, 33710 Tampere, Finland
If applicable law gives you the right to complain to a supervisory authority, you may also contact the authority responsible in your jurisdiction.