GDPR Compliance Statement

1. Introduction

AR-Go lab Oy ("Company", "we", "us", or "our"), registered in Finland with business ID (Y-tunnus) 3096104-8, is committed to ensuring that all personal data processing activities related to the VIDDDY platform ("Platform") comply with the General Data Protection Regulation (GDPR) (EU) 2016/679.

This GDPR Compliance Statement outlines our approach to data protection and the specific measures we have implemented to ensure compliance with the GDPR when processing personal data through our AI-powered feedback analysis platform.

2. Our Role Under GDPR

2.1 Data Controller

We act as a data controller for the personal data we collect directly from you when you:

• Register for and use the VIDDDY platform
• Communicate with us
• Visit our website

2.2 Data Processor

We act as a data processor for the personal data contained in the customer feedback that you upload or input into the VIDDDY platform for analysis. In this capacity, we process such data according to your instructions and our Data Processing Agreement.

3. Data Protection Principles

We adhere to the following principles when processing personal data:

3.1 Lawfulness, Fairness, and Transparency

We process personal data lawfully, fairly, and in a transparent manner. Our Privacy Policy clearly explains how we collect, use, and share personal data.

3.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.

3.3 Data Minimization

We limit the collection of personal data to what is necessary for the purposes for which it is processed.

3.4 Accuracy

We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.

3.5 Storage Limitation

We retain personal data only for as long as necessary for the purposes for which it is processed.

3.6 Integrity and Confidentiality

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

3.7 Accountability

We take responsibility for complying with the GDPR and can demonstrate compliance through our policies, procedures, and documentation.

4. Legal Basis for Processing

We process personal data only when we have a valid legal basis under the GDPR, including:

• Consent: When you have given clear consent for us to process your personal data for a specific purpose.
• Contract: When processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.
• Legal Obligation: When processing is necessary for compliance with a legal obligation to which we are subject.
• Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, provided these interests don't override your fundamental rights and freedoms.

Our Privacy Policy specifies the legal basis for each type of processing activity we undertake.

5. Data Subject Rights

We recognize and respect the rights of data subjects under the GDPR, including:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure ('right to be forgotten')
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights in relation to automated decision making and profiling

We have implemented procedures to handle data subject requests in a timely and effective manner, ensuring that we meet the GDPR's one-month response deadline (which may be extended by up to two additional months for complex or numerous requests).

6. Technical and Organizational Measures

We have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

6.1 Data Security Measures

• Encryption of personal data both in transit and at rest
• Regular testing and evaluation of security measures
• Secure authentication and access controls
• Monitoring for security incidents
• Regular vulnerability assessments and penetration testing
• Backup and disaster recovery procedures

6.2 Organizational Measures

• Appointment of a Data Protection Officer (where required) or designated privacy personnel
• Regular data protection training for staff
• Implementation of data protection policies and procedures
• Data protection impact assessments for high-risk processing activities
• Record of processing activities
• Vendor management and data processing agreements

7. Data Processing Activities Related to AI Analysis

As an AI-powered feedback analysis platform, VIDDDY uses artificial intelligence and machine learning technologies to process customer feedback. We ensure that our AI processing activities comply with the GDPR by:

7.1 Transparency

We are transparent about our use of AI for analyzing feedback and clearly explain the types of analysis performed.

7.2 Purpose Limitation

Our AI systems only process personal data for the specific purpose of analyzing customer feedback as described in our documentation and agreements.

7.3 Data Minimization

Our AI systems are designed to use only the data necessary for the analysis, and we implement techniques to minimize personal data exposure where possible.

7.4 Automated Decision-Making and Profiling

When our AI systems engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals, we:

• Ensure there is a valid legal basis for this processing
• Implement suitable safeguards
• Enable human intervention when needed
• Provide explanations of AI-derived conclusions when requested

8. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

• Transfers to countries with an adequacy decision from the European Commission
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules (if applicable)
• Derogations for specific situations as permitted by the GDPR

We regularly review our international data transfer mechanisms to ensure they remain valid and effective under evolving regulatory requirements and case law.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) before undertaking high-risk processing activities, including:

• Systematic and extensive profiling with significant effects
• Processing of special categories of data or data about criminal convictions on a large scale
• Systematic monitoring of publicly accessible areas
• Using new technologies for data processing

Our DPIA process assesses the necessity and proportionality of processing, identifies and evaluates risks to individuals, and determines measures to address those risks.

10. Data Breach Response

We have implemented a data breach response procedure to:

• Detect and report personal data breaches within 72 hours to the relevant supervisory authority when required
• Notify affected data subjects without undue delay when a breach is likely to result in a high risk to their rights and freedoms
• Document all breaches, including facts, effects, and remedial actions taken

11. Data Protection Officer and EU Representative

11.1 Data Protection Contact

For data protection matters, please contact:

12. Data Processing Agreement

When we act as a data processor, we enter into a Data Processing Agreement (DPA) with our customers (the data controllers) that includes provisions required by Article 28 of the GDPR, including:

• Processing only on documented instructions from the controller
• Ensuring confidentiality commitments from individuals authorized to process the data
• Implementing appropriate security measures
• Assisting the controller in meeting GDPR obligations
• Returning or deleting personal data at the end of the service provision
• Providing information necessary to demonstrate compliance

Our standard DPA is available upon request by contacting privacy@ar-go.fi.

13. Privacy by Design and Default

We incorporate data protection by design and by default in our development processes by:

• Implementing data protection principles early in product development
• Ensuring that default settings are privacy-friendly
• Minimizing data collection and retention
• Using privacy-enhancing technologies where appropriate
• Conducting privacy reviews as part of the development lifecycle

14. Record of Processing Activities

We maintain a record of our processing activities as required by Article 30 of the GDPR, including information about:

• Categories of data subjects and personal data
• Purposes of processing
• Recipients of personal data
• International transfers
• Security measures
• Retention periods

15. Staff Training and Awareness

We ensure that our staff members are:

• Regularly trained on data protection requirements
• Aware of their responsibilities when processing personal data
• Bound by confidentiality obligations
• Familiar with our data protection policies and procedures

16. Compliance Monitoring and Review

We regularly monitor and review our GDPR compliance through:

• Internal audits and assessments
• Updating policies and procedures to reflect legal and regulatory changes
• Reviewing the effectiveness of technical and organizational measures
• Engaging external experts for independent assessments when necessary

17. Commitment to Continuous Improvement

We are committed to continuously improving our data protection practices by:

• Keeping informed about regulatory developments and guidance
• Learning from industry best practices
• Updating our measures in response to evolving threats and risks
• Receiving and acting on feedback from data subjects, customers, and authorities

18. Contact Information

For questions, concerns, or requests regarding our GDPR compliance, please contact:

19. Updates to This Statement

This GDPR Compliance Statement may be updated periodically to reflect changes in our practices or regulatory requirements. We will notify you of significant changes by posting the updated statement on our website and, where appropriate, contacting you directly.

Last updated: April 29, 2025