Privacy Policy

Effective Date: October 10, 2025

Table of Contents

  • Introduction
  • Our role under the GDPR
  • Data Protection Officer
  • How we collect and use (process) your personal information
    • Categories of data subjects
    • Categories of personal data
    • Processing on behalf of customers
  • Use of the Operating Solutions website
  • Cookies and tracking technologies
  • Use of the Operating Solutions services
  • Sharing information with third parties
  • Transferring personal data outside the EU/EEA
  • Data Subject rights
  • Security of your information
  • Data storage and retention
  • Children’s data
  • Questions, concerns, or complaints

Introduction

Operating Solutions Oy, together with its subsidiary Operating Solutions Inc. (together later “Operating Solutions”), is a software-as-a-service business providing a professional services automation platform. Operating Solutions is headquartered in Helsinki, Finland.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Policy describes Operating Solutions’ policies and practices regarding its collection and use of your personal data and sets forth your privacy rights.

We recognize that information privacy is an ongoing responsibility, and we will update this Privacy Policy as we undertake new personal data practices or adopt new privacy measures.

Our role under the GDPR

Depending on the context, Operating Solutions may act as:

  • a data controller, when we process personal data for our own business purposes (e.g., managing customer relationships, billing, or marketing); and
  • a data processor, when we process personal data on behalf of our customers under their instructions and in accordance with a signed Data Processing Agreement (DPA).

When we process personal data on behalf of our customers inside the Operating Services, Operating Solutions Oy acts as the data processor.

Our U.S. subsidiary, Operating Solutions Inc., may assist in providing the services or billing activities. Where Operating Solutions Inc. processes personal data on behalf of Operating Solutions Oy in this context, it acts as a subprocessor or supports controller-side processing as part of the Operating Solutions corporate group.”

Compliance with Non-EU Privacy Laws

Where individuals or customers are located outside the EU/EEA, Operating Solutions may process personal data in accordance with additional local privacy requirements. These include, where applicable, the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Operating Solutions aligns these obligations with the protections provided under the GDPR, which generally reflect a higher standard of data protection.

Data Protection Officer

Operating Solutions has appointed an internal Data Protection Officer (DPO) who oversees compliance with the General Data Protection Regulation (GDPR) and related data protection laws.

If you have any questions or would like to exercise your privacy rights, please contact:

Mikko Karjalainen
Operating Solutions Oy
Käenkuja 3aA, 00500 Helsinki, Finland
Email: privacy@operating.app

How we collect and use (process) your personal information

We collect limited personal information necessary to provide and support our services, such as:

  • name and job title
  • employer name
  • business contact details (email address, phone number, work address)

We use this information to:

  • provide our SaaS platform and related services
  • manage our customer relationships
  • communicate with users
  • meet our legal obligations

We do not sell or rent personal data. We share it only with third parties that are necessary to deliver our services and are bound by contractual confidentiality and data protection obligations.

Categories of data subjects

Depending on how our services are used, Operating Solutions may process personal data relating to:

  • employees, contractors, and consultants of our customers who use our SaaS platform;
  • other individuals whose information is entered into the system by our customers (for example, project participants, resources, or planners); and
  • Operating Solutions’ own customers, prospects, and website visitors for customer management, support, and marketing purposes.

Categories of personal data

The personal data processed typically includes:

  • name, job title, and role
  • business contact details (such as email address, phone number, and company name)
  • user account identifiers and usage logs within the platform
  • resource allocation or scheduling data entered by the customer
  • any free-text information submitted by the customer or user that may incidentally contain HR-related or contextual details

Operating Solutions does not require or intentionally collect special categories of personal data (as defined in Article 9 of the GDPR), such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or biometric data, health data, or data concerning a natural person’s sex life or sexual orientation. Customers are responsible for ensuring that no such data is uploaded to the platform unless all conditions and safeguards required by the GDPR are met.

Processing on behalf of customers

In providing our SaaS services, Operating Solutions may process personal data on behalf of its business customers. In such cases, Operating Solutions acts as a data processor, and the customer acts as the data controller.

These processing activities, including their subject matter and duration, are governed by a written Data Processing Agreement (DPA) between Operating Solutions and each customer. The DPA defines the purpose of processing, the categories of personal data and data subjects, and the applicable technical and organizational measures.

Use of the Operating Solutions website

As with most websites, Operating Solutions’ website collects certain information automatically and stores it in log files. This may include IP addresses, the region or general location where your device is accessing the internet, browser type, operating system, and other usage information.

We use this information to improve our website, diagnose issues, and understand visitor preferences. We have a legitimate interest in understanding how members, customers, and potential customers use our website to improve usability and performance.

Cookies and tracking technologies

Operating Solutions uses cookies and similar technologies to enhance your experience.

Google Analytics

We use Google Analytics to help us understand how visitors interact with our website. Google Analytics uses cookies to collect information such as your IP address, device type, and browsing activity. This information may be transmitted to and stored by Google on servers located outside the EU/EEA. Google acts as our data processor for website analytics.

Operating Solutions’ Cookie Notice:

This website utilises technologies such as cookies to enable essential site functionality, as well as for analytics, personalisation, and targeted advertising. You may change your settings at any time or accept the default settings. You may close this banner to continue with only essential cookies.

Use of the Operating Solutions Software Service and Related Services

When customers and their authorized users use our SaaS services, Operating Solutions processes personal data entered into the system solely for providing, maintaining, and improving the service. We do not access or use customer data except as necessary to provide technical support or meet legal obligations.

Sharing information with third parties

The personal information Operating Solutions collects from you is stored in databases hosted by third parties located in Europe. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval.

A list of our third-party subprocessors can be found in our Trust Center: https://trust.operating.app/subprocessors

We do not otherwise disclose your personal data to non–Operating Solutions persons or businesses unless:

  1. you request or authorize it;
  2. it’s required by law or regulation;
  3. necessary to protect our rights or those of others;
  4. to perform a contract or resolve disputes; or
  5. it concerns aggregated or anonymized information for statistical purposes.

Transferring personal data outside the EU/EEA

Operating Solutions is headquartered in Finland, and we primarily store and process personal data within the European Union (EU) and European Economic Area (EEA).

We do not routinely transfer personal data outside the EU/EEA. However, in certain cases, we may engage subprocessors or service providers located in countries outside the EU/EEA.

When such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These include:

  • execution of the European Commission’s Standard Contractual Clauses (SCCs) with the relevant recipients; and
  • documented approval and authorization as set out in our DPA with customers.

Some of our operational activities may involve limited access by our U.S. subsidiary, Operating Solutions Inc., for support or administrative purposes. Where such access constitutes processing of personal data, Operating Solutions Inc. acts as a subprocessor under the Data Processing Agreement. These transfers are safeguarded in accordance with Chapter V of the GDPR, typically through the use of the European Commission’s Standard Contractual Clauses (SCCs).

Where the Controller or relevant individuals are subject to the Australian Privacy Act, Operating Solutions takes reasonable steps to ensure that any overseas recipient of personal data does not breach the Australian Privacy Principles (APPs), in accordance with APP 8. These steps include the use of written agreements requiring appropriate safeguards and technical and organisational measures. Operating Solutions provides these protections in a manner consistent with GDPR-level safeguards.

A current list of subprocessors and their transfer mechanisms is available at: https://trust.operating.app/subprocessors

For more information, please contact us at privacy@operating.app.

Data Subject rights

Under the GDPR, individuals have the right to:

  • be informed
  • access their personal data
  • request rectification or erasure
  • restrict or object to processing
  • data portability
  • not be subject to automated decision-making

Individuals located in Australia may also have rights under the Australian Privacy Act, including the right to access and correct their personal information.

When Operating Solutions acts as a processor on behalf of a customer, individuals should direct any data-related requests to the relevant customer (controller).

When Operating Solutions acts as a controller, individuals may exercise their rights directly by contacting us at privacy@operating.app.

Security of your information

Operating Solutions implements appropriate technical and organizational measures (TOMs) to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures include:

  • encryption of data at rest and in transit
  • access controls based on least privilege
  • regular vulnerability assessments and monitoring
  • incident detection and response procedures
  • employee training on data protection and security

All personal data is hosted within the EU on reputable cloud infrastructure providers certified under ISO 27001 and SOC 2.

Data storage and retention

Personal data is stored on secure servers located within the EU. We retain personal data for as long as necessary to fulfill its purpose, comply with legal obligations, resolve disputes, and enforce agreements.

Upon termination of a customer relationship or at the customer’s written request, we delete or return all personal data in accordance with our DPA and applicable law.

If you wish to confirm that Operating Solutions is processing your personal data, or to request access, rectification, or erasure, please contact us at privacy@operating.app.

Children’s data

We do not knowingly attempt to solicit or receive information from children under 16 years of age.

Questions, concerns, or complaints

If you have questions, concerns, or complaints about this Privacy Policy or our practices, please contact:

Operating Solutions Oy
Käenkuja 3aA, 00500 Helsinki, Finland
Email: privacy@operating.app

If you are located in the EU, you may also contact your national Data Protection Authority for additional assistance.

If you are located in Australia and your complaint remains unresolved, you may also contact the Office of the Australian Information Commissioner (OAIC) at https://www.oaic.gov.au.