Last updated: 12.6.2026
1. Data Controller
Anfra Oy Business ID: 2679234-1 Linnunrata 14 90440 Kempele
2. Contact Person for Data Protection
For questions regarding data protection, you may contact:
Marika Vänttilä
Email: tietosuojavastaava@anfra.fi
3. Scope of This Policy
This privacy policy applies to Anfra Oy's website (anfra.fi), the processing of personal data in connection with the website, and the processing of personal data carried out through our official WhatsApp communication channel.
Specifically, this policy covers:
- Data collected via website forms
- Messages and data collected through the official WhatsApp communication channel
- Technical data generated through website use
- Cookies and analytics
- Data security, prevention of misuse, and log data processing
- Third-party services and embeds used on the website
4. Data We Process
DATA COLLECTED VIA FORMS
The website uses Pipedrive web forms. The following information may be collected through these forms:
Contact Form
- Name
- Business ID
- Phone number (optional)
- Message
Feedback form
- Message
Form data is directed directly to Pipedrive and is not stored in WordPress.
DATA COLLECTED THROUGH THE WHATSAPP COMMUNICATION CHANNEL
Through the WhatsApp communication channel, we process the following personal data:
- The content of messages sent between you and Anfra: text, images, documents, voice messages, and other attachments
- Your phone number as a WhatsApp identifier (in E.164 format)
- Your WhatsApp profile name, if you have set it to be visible to others
- Message metadata: timestamps, delivery status (sent/delivered/read), message type, and language
- Text content automatically extracted from attachments (OCR text extraction)
- Classification based on message content (e.g., "fault report", "question", "working hours notification")
DATA GENERATED DURING WEBSITE USE
The following data may also be processed in connection with website use:
- IP address
- Browser and device information
- Log and event data
- Data related to cookies and consent choices
- Identifiers necessary for website functionality, security, and analytics
5. Purposes of Processing
Personal data is processed for the following purposes:
- Responding to inquiries
- Processing feedback
- Managing customer, subcontractor, and site communication (including WhatsApp communication)
- Creating and managing B2B sales leads
- Preparing sales processes and customer relationships
- Business communication
- B2B marketing
- Internal organization, such as automatically classifying and routing WhatsApp messages to the correct person in charge
- Statutory retention obligations (accounting, occupational safety, contractual compliance)
- Analyzing and developing website usage
- Ensuring the technical functionality and security of the website
- Preventing misuse, security breaches, and harmful traffic
- Managing and documenting cookie preferences
6. Legal Basis for Processing
LEGITIMATE INTEREST
The processing of personal data is based on Anfra Oy's legitimate interest insofar as the processing relates to:
- Receiving and processing B2B inquiries
- Management of sales leads
- Preparation and maintenance of customer relationships
- Business communication and B2B marketing
- Internal operational organization (e.g., message routing)
- Ensuring website security
- Prevention of misuse
- Technical logging and service maintenance
Anfra Oy's legitimate interest is based on the need to process B2B contacts, manage sales leads, maintain business communication, and ensure the website's operation and security.
CONTRACT AND LEGAL OBLIGATION
We process data for the performance of a contract when managing customer, subcontractor, and site communications. Additionally, our processing is based on a legal obligation when data is retained in accordance with the Finnish Accounting Act, the Occupational Safety and Health Act, or other statutory and contractual obligations.
CONSENT
Processing is based on consent regarding:
- The use of non-essential cookies
- The use of analytical cookies
- Loading third-party content, such as YouTube embeds, when their use requires consent
Consent can be withdrawn or cookie settings changed at any time via the website's cookie settings.
7. Sources of Information
Personal data is primarily obtained from:
- The data subject themselves via web forms or WhatsApp communication
- Technical data generated during website use
- Cookie and consent management tools
8. Is Providing Data Mandatory?
Providing personal data via web forms and using the WhatsApp communication channel is generally voluntary. If the data subject does not provide the information necessary to handle the inquiry, Anfra Oy may not be able to respond to the inquiry or process the matter appropriately. You can stop sending messages to us at any time or choose an alternative method of contact.
9. Recipients and Processors of Personal Data
Personal data may be processed to the extent necessary to implement the website, forms, analytics, security, and technical maintenance.
The following service providers, among others, may process personal data on behalf of Anfra Oy:
- Louhi Net Oy (hosting and server environment) (hosting and server environment)
- Pipedrive Pipedrive (web forms and lead management)
- Google services, such as Analytics, Tag Manager, Search Console, and PageSpeed Insights
- 360dialog GmbH (WhatsApp Business service provider)
- Meta Platforms, Inc. (WhatsApp service technology platform)
- Google Cloud EMEA Ltd. (Anfra's system infrastructure and communication AI environment)
- Anfra's internal services (e.g., Anfra AI Gateway service for message classification and text extraction)
- Hubexo Finland Oy / Rakennusfakta Analytics Pro
- YouTube, if the user accepts cookies or external content associated with it
- Leadfeeder Finland Oy / Leadfeeder Group GmbH (B2B website analytics and lead identification)
Personal data is disclosed or provided for processing to these parties only to the extent necessary to implement, maintain, protect, or develop the service.
10. Data Transfers Outside the EU or EEA
Some of the service providers used may process personal data outside the European Union or the European Economic Area or utilize international sub-processors.
For example, Meta Platforms, Inc. processes some of the WhatsApp service's technical metadata in the United States under the EU-US Data Privacy Framework approved by the European Commission and Standard Contractual Clauses (SCCs).
If personal data is transferred outside the EU or EEA, the transfers are carried out in accordance with applicable data protection laws and using appropriate safeguards. The data subject may request further information about the safeguards used by contacting tietosuojavastaava@anfra.fi.
11. Retention Periods
Personal data is stored only as long as necessary to fulfill the processing purposes described in this policy.
- Form and lead data: Inquiries and leads received via Pipedrive remain in the CRM system indefinitely until deleted.
- WhatsApp Messages: Active messages and conversations are retained for the duration of their purpose of use (generally up to 2 years from the last contact). Contract-related messages are retained for the duration of the contract plus the retention period required by the Accounting Act (usually 6 years). Attachment media (images, documents) are retained by default for 365 days from the time of download.
- Log and security data: Log data collected for technical and security purposes is stored only for as long as necessary. The retention period for logs from the Redirection plugin used on this website is currently generally one week.
- Cookies and consent data: Retention periods vary depending on the type and purpose of the cookie.
12. Cookies and Analytics
The website uses cookies and similar technologies to implement website functionality, consent management, analytics, and external content.
ESSENTIAL COOKIES
Some cookies are necessary for the technical operation and security of the website, as well as for storing the user's cookie preferences.
CONSENT MANAGEMENT COOKIES
The website uses cookies intended to store and manage the user's consent or refusal regarding the use of cookies.
IDENTIFIERS DETECTED BEFORE COOKIE SELECTION
The following identifiers have been detected on the website's front page before the user's cookie selection:
- _pk_id.6.a306
- _pk_ses.6.a306
- gtm_pageview_count
- ma_popup_visitor
The exact technical classification of these identifiers may depend on the website's implementation and active functionalities.
ANALYTICS COOKIES USED AFTER CONSENT
Once the user accepts the use of cookies, additional analytical cookies may be used, such as:
- _ga_J9NZBYLVTB
- _gat_gtag_UA_75859458_1
- _ga
- _gid
According to the website's understanding, non-essential cookies related to analytics and media content, such as those related to Google Analytics and YouTube, are subject to consent.
Our website uses the technologies of Leadfeeder (Leadfeeder Finland Oy as part of Leadfeeder Group GmbH) to analyze visitor behavior. In this process, the IP address of a visitor is processed. This processing has the purpose of helping us understand which businesses (B2B) are visiting our site, by enriching IPs with associated information such as the company name or industry code. To do this, at the beginning of the visitor’s session, their IP address and corresponding session data is matched against a large whitelist of known companies.
EMBEDDED CONTENT
The website may contain YouTube videos. Displaying such content may lead to a third party setting cookies or processing data if the user gives their consent.
13. Data Security
Anfra Oy protects personal data with appropriate technical and organizational measures. Such measures may include:
- Restricting access rights
- Access control
- Server and network security measures
- Monitoring log data
- Login protection and prevention of misuse
- Use of encrypted connections
The website also utilizes plugins and technical solutions supporting security and logging to detect and prevent harmful or unauthorized use.
14. Artificial Intelligence and Automated Decision-Making
Anfra Oy does not engage in automated decision-making based on personal data, nor does it perform profiling that would have legal effects or other similarly significant effects on the data subject (GDPR Art. 22). (GDPR art. 22).
However, messages sent to our WhatsApp channel pass through a partially automated artificial intelligence system designed to support office operations. The system:
- Classifies messages and routes them to the correct person in charge
- Extracts text content from attachments using Optical Character Recognition (OCR)
- Generates summaries of extensive message threads when necessary
- Final decisions are always made by Anfra's employees. You have the right to request that, alongside automated processing, your message be reviewed by a human representative. This notice also fulfills the transparency obligation set out in Article 50 of the EU Artificial Intelligence Act (AI Act).
15. Rights of the Data Subject
In accordance with applicable data protection legislation, the data subject has the right to:
- Obtain confirmation as to whether personal data concerning them is being processed
- Access personal data concerning them
- Request the rectification of inaccurate or incomplete data
- Request the erasure of data within the limits allowed by law
- Request the restriction of processing
- Object to the processing of personal data when processing is based on legitimate interest
- Data portability (transfer data from one system to another) where applicable
- Withdraw consent insofar as the processing is based on consent
- Request the complete deletion of their WhatsApp chat history
- Lodge a complaint with a supervisory authority
Requests concerning data protection can be sent to tietosuojavastaava@anfra.fi.
16. Changes to the Privacy Policy
Anfra Oy reserves the right to update this privacy policy based on, for example, service development, changes in legislation, or functional changes to the website. The up-to-date privacy policy will be published on this page.