How we handle personal data on cwaves.fi.

The data controller is CWaves Digital Oy, a Finnish private limited company with business ID 3612568-1, registered office in Helsinki, Finland. You can contact the controller at hello@cwaves.fi. We have not appointed a Data Protection Officer because our processing activities do not meet the thresholds in Article 37 GDPR; privacy matters are handled directly by the controller at that address.

We process the following categories of personal data:

• Discovery form data. Name, work email, company, contact intent, project type, free-text problem description, indicative timeline and preferred contact channel — all provided by you when you submit the form on the homepage.
• Email correspondence. Any content, attachments and metadata in emails you send to or receive from @cwaves.fi addresses.
• Functional preference. The interface language you select, stored in a first-party cookie named cwaves-language and a matching localStorage entry on your device.
• Technical access data. Standard server access logs maintained by our hosting provider: truncated IP address, user-agent string, requested path, response status code and timestamp.

We do not knowingly collect special categories of personal data (Article 9 GDPR), criminal data (Article 10 GDPR), or data from children under 16. We do not operate third-party analytics, advertising pixels, behavioural tracking, cross-site tracking or fingerprinting on this site.

Each category above is processed for a specific purpose on a specific legal basis:

• Discovery form data — to reply to your enquiry, prepare for the requested discovery conversation and follow up by your preferred channel. Legal basis: steps prior to entering into a contract at your request (Article 6(1)(b) GDPR) and our legitimate interest in responding to prospective clients (Article 6(1)(f) GDPR).
• Email correspondence — to handle the conversation you initiated. Legal basis: Article 6(1)(b) or 6(1)(f) GDPR depending on the context.
• Language preference — to display the site in the language you selected. Legal basis: strictly necessary processing for a service explicitly requested by you, as permitted by the Finnish implementation of the ePrivacy Directive (§205 of the Information Society Code, 917/2014).
• Technical access data — to keep the site available, secure and free of abuse. Legal basis: our legitimate interest in the security and integrity of our infrastructure (Article 6(1)(f) GDPR; see Recital 49).

You can object to processing based on legitimate interest at any time, by email to hello@cwaves.fi.

Inside CWaves Digital Oy, only the team members directly involved in responding to enquiries and operating the website have access to your personal data. Outside CWaves, we rely on the following processors, each bound by a written data processing agreement under Article 28 GDPR:

• Formspree, Inc. — delivers discovery form submissions to our inbox. United States.
• Our hosting provider — serves cwaves.fi and stores server access logs. European Union.
• Our business email provider — transports and stores correspondence with @cwaves.fi addresses.

We do not sell personal data and we do not share it with third parties for their own marketing or advertising purposes.

Where processing involves transferring personal data outside the European Economic Area — in particular to processors established in the United States — the transfer is covered by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where available, by the EU-US Data Privacy Framework. Supplementary measures are in place where required by the Schrems II judgment (C-311/18). You can request a copy of the safeguards by writing to hello@cwaves.fi.

We keep personal data only for as long as necessary for the purpose:

• Discovery form submissions and the resulting email thread are retained for the duration of the conversation and for up to 24 months from the last interaction, unless you ask us to delete them earlier or we enter into a contractual relationship (in which case our standard client-record retention applies).
• Server access logs are rotated within 30 days.
• The cwaves-language cookie has a maximum lifetime of 12 months and is stored only on your device.
• Statutory accounting records (Finnish Kirjanpitolaki 1336/1997) are kept for the legally mandated period when applicable.

Under Articles 15–22 GDPR, and subject to the conditions in the GDPR, you have the right to:

• access the personal data we hold about you (Article 15);
• have inaccurate data rectified (Article 16);
• request erasure of your data, also known as the “right to be forgotten” (Article 17);
• request restriction of processing (Article 18);
• receive your data in a portable format (Article 20);
• object to processing based on legitimate interest, including profiling (Article 21); and
• withdraw consent at any time, where processing is based on consent (Article 7(3)).

To exercise any of these rights, email hello@cwaves.fi. We will respond within one month (Article 12(3) GDPR). We may ask you for proof of identity where reasonably necessary to verify your request.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi, or with the supervisory authority in your country of residence or place of the alleged infringement (Article 77 GDPR).

We use only one strictly necessary first-party cookie: cwaves-language — HttpOnly false (it is read by client-side JavaScript on purpose), SameSite=Lax, Secure where the page is served over HTTPS, max-age 31 536 000 seconds (12 months). It stores the interface language you actively selected. Because it is strictly necessary for a service requested by you, no consent banner is required under §205 of the Finnish Information Society Code (917/2014) implementing Article 5(3) of the ePrivacy Directive.

You can clear this cookie at any time from your browser settings; the next time you visit, the language will fall back to your browser preference.

cwaves.fi is a B2B service aimed at professional audiences. We do not target the site at children and we do not knowingly collect personal data from persons under 16. If you believe a child has provided personal data through the site, please contact us so we can delete it.

We do not make decisions producing legal or similarly significant effects based solely on automated processing, including profiling, within the meaning of Article 22 GDPR.

We use industry-standard technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, including TLS in transit, access controls and the principle of least privilege for our processors. No system is perfectly secure; if a personal data breach occurs we will notify the supervisory authority and, where required, affected individuals in line with Articles 33 and 34 GDPR.

We may update this notice when our practices change or when legal obligations require it. Material changes will be summarised at the top of this page and the version and date above will be updated. Where required by law, we will also notify you directly.

Privacy questions, data subject requests and breach reports: hello@cwaves.fi. Postal address: CWaves Digital Oy, Helsinki, Finland.