Privacy Policy
Last updated: 2026-05-16
Version 2.2 · Effective from 16 May 2026
Overview
This privacy policy describes how Stratospheric Cloud Oy (Viran) processes personal data and confidential material on its website and in its services Viran Bid Team and Viran Review. The role (controller / processor) varies by service and is described separately for each service below.
Controller and contact
Stratospheric Cloud Oy (Viran). Business ID 3520574-3. VAT FI35205743. Address: Turvalaaksonkuja 2 A, 01740 Vantaa, Finland. Privacy contact: [email protected].
1. Website and contact requests
Role: Controller
Purposes: Operating the website, processing contact requests, booking demo meetings, initiating customer relationships, and marketing based on legitimate interest.
Data processed: Via contact form: name, email, organization, role, message content. Via Outlook Bookings when booking a demo: name, email, time. Via cookies for analytics: page views, browser type, anonymized usage metrics (only with the user's consent).
Legal basis: Pre-contractual steps (GDPR 6.1.b), legitimate interest (6.1.f) for B2B marketing, consent (6.1.a) for analytics cookies.
Retention: Contact requests: 24 months from last contact. Demo bookings: 12 months. Analytics data: 26 months or until the user withdraws consent.
2. Viran Bid Team (for suppliers)
Role: Controller for customer's contact persons. Processor for customer's confidential material (pricing, references, subcontractor IP).
Purposes: Assessing tender suitability against customer's profile, producing the weekly briefing, preparing bid documents, pricing simulation, billing and customer communication.
Data processed: About the customer: contact persons, company profile, references, pricing, tender materials (including subcontractors' and system partners' IP-protected materials). From public data: Hilma and Tarjouspalvelu notices, procurement decisions (no personal data).
Legal basis: Contract with the customer (GDPR 6.1.b). For customer's confidential material we follow contractual terms and customer instructions as a processor (GDPR 28).
Retention and return: Customer material is retained for the contract term, and billing-related material as required by accounting law. At contract end, we return the customer material and delete it from our systems within 90 days.
3. Viran Review (for public-sector buyers)
Role: Processor. The contracting authority is the controller for the procurement documents and any personal data therein.
Purposes: Intelligent review of procurement documents submitted by the contracting authority: annex references, award-criteria arithmetic, date logic, internal references. Production and reporting of findings.
Data processed: Procurement documents submitted by the contracting authority and any personal data contained therein (e.g., civil servants' names). Customer's contact persons.
Legal basis: Engagement and data processing agreement (GDPR Article 28). We provide a DPA as an annex to every Viran Review agreement.
Retention: According to the contracting authority's instruction. Default: materials are returned and deleted within 30 days of processing end, unless otherwise agreed.
Subprocessors
We use the following subprocessors. Each subprocessor has a GDPR Article 28 agreement in place, and Standard Contractual Clauses (SCC) where transfers occur outside the EU.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting and content delivery network | EU (Frankfurt) — Vercel Pro deployment region |
| Supabase Inc. | Database service for website content | EU (Frankfurt) |
| Resend Inc. | Delivery of contact-form emails | United States (SCC, DPA) |
| PostHog Inc. | Usage analytics under cookie consent | EU (posthog.eu) |
| Microsoft Ireland Operations Ltd. | Email (@viran.ai), Teams meetings, Outlook Bookings for demo booking | EU (Ireland) |
| GitHub, Inc. | Version-controlled storage of project material | United States (SCC, DPA) |
| Anthropic PBC | AI-assisted internal analysis for Viran Bid Team (no customer data retention in model training) | United States (SCC, zero data retention enabled) |
| Cloudia / Tarjouspalvelu | Retrieval of public tender materials. Access is either via public data or with the customer's separate authorization using the customer's own credentials. | EU |
Transfers outside the EU/EEA
Some subprocessors are located in the United States. For these transfers we apply the European Commission's Standard Contractual Clauses (SCC) and, where needed, supplementary safeguards. All confidential customer material is kept in EU-located systems to the extent technically feasible.
Security
We apply appropriate technical and organizational safeguards, including access controls, encryption in transit and at rest, audit logs, and regular backups. The operational details are described in a separate security documentation package provided on request. We follow the principles of ISO/IEC 27001 where applicable.
Data Processing Agreement (DPA): We provide a DPA as an annex to every customer agreement. Request it at [email protected].
Rights of the data subject
You have the following GDPR rights regarding your personal data:
- Right of access (GDPR Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restrict processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Right to lodge a complaint with a supervisory authority
You can exercise your rights by contacting: [email protected]
Supervisory authority
Office of the Data Protection Ombudsman, Lintulahdenkuja 4, 00530 Helsinki, Finland. Web: tietosuoja.fi.
Change log
16 May 2026, Version 2.2: Website hosting (Vercel) moved to the EU region (Frankfurt) under the Vercel Pro plan. GitHub, Inc. added to the subprocessor list for version-controlled storage of project material.
17 April 2026, Version 2.0: Three service-lane structure (website, Bid Team, Review). Subprocessor list refreshed and expanded. DPA and security documentation practices added.