Privacy Policy
Last updated June 16, 2026
This policy describes how personal data is processed in the Tuttu for Business service, for what purposes and on what legal bases, and what rights you have.
1. Data controller
The data controller is Insinööritoimisto Loikkanen Oy (business ID 3600045-9), referred to here as “Tuttu”. Privacy contact: Ilpo Loikkanen, [email protected].
This policy covers the Tuttu for Business service and the website business.tuttu.ai. The service is intended for business use (B2B).
2. Two roles: controller and processor
Tuttu processes personal data in two distinct roles, which should be kept separate:
- As a controller, Tuttu processes its business customers' data: account users' contact details, billing data, and technical data about use of the service. This processing is described in this policy.
- As a processor, Tuttu processes the data of the business customer's callers and message senders on the business customer's behalf and on its instructions. Here the business customer is the controller and is responsible for its own data protection obligations towards its callers. The terms governing this processing, the processor's obligations, and the full list of sub-processors are set out in a separate data processing agreement (GDPR Article 28).
3. What personal data we process
- Account and user data: email address, name (if the login source provides it), and the user's role. Login is passwordless — we do not store passwords.
- Billing data: company name, business ID, VAT number, and address for the receipt. We do not process or store payment card details ourselves — payment is handled by our payment provider Stripe on its own checkout page.
- Content you enter (the knowledge base): your business description, services, policies, and other material the assistant uses, which may contain personal data (for example employees' names or contact details). You are responsible for the lawfulness of the content you enter.
- Call and message data: the caller's phone number (when transmitted), the content of calls and text messages as text transcripts, keypad-entered numbers, messages and callback requests left by callers, and the call duration and other technical metrics. We process this data as a processor on the business customer's behalf.
- Technical data: server logs, usage and error data, and API usage cost-tracking (service name, model, and number of units processed — not message content).
Call audio is not recorded. Call audio is streamed in real time for speech recognition, but it is not recorded or stored — only the text transcript is retained permanently.
4. Where the data comes from
- Directly from you when you register, fill in details, or use the service.
- From callers and message senders during calls and text messages.
- From the Finnish Business Information System (PRH / Tax Administration YTJ) when you look up your company by business ID or name (public open data).
- From the login provider WorkOS (email and name) and from optional Google sign-in.
5. Purposes and legal bases
The legal bases for processing are those set out in Article 6 of the GDPR:
- Providing the service and managing the customer relationship — performance of a contract (GDPR Article 6(1)(b)).
- Billing and accounting — legal obligation (Article 6(1)(c); accounting law).
- Developing the service, security, and preventing misuse — legitimate interest (Article 6(1)(f)).
- Processing of caller data is carried out on the business customer's behalf on the legal basis determined by that customer; see the data processing agreement.
6. AI and automated decision-making
The service answers calls and messages using AI. Callers are told at the start of each call that they are speaking with an AI — this satisfies the transparency obligation in Article 50(1) of the AI Act (Regulation (EU) 2024/1689).
The service does not make automated decisions producing legal or similarly significant effects on data subjects within the meaning of Article 22 of the GDPR. The AI relays messages, answers questions, and records callback requests; the actual decisions are made by the business customer.
AI may occasionally interpret or phrase things inaccurately. Critical information should be verified separately.
7. Special categories of data
We do not request or intentionally collect special categories of personal data within the meaning of Article 9 of the GDPR (such as health data). A caller may nonetheless volunteer such information during a call, in which case it ends up in the transcript. We recommend not configuring the assistant to collect sensitive data.
8. Recipients and processors
We use the following subcontractors (data processors) to provide the service. There is a data processing agreement with each, and they process data only to provide the service:
| Processor | Task | Data processed | Location / transfer basis |
|---|---|---|---|
| Twilio | Voice call and SMS transport | Audio transport, caller number, outbound notifications | United States — DPF / standard contractual clauses |
| OpenAI | Real-time speech recognition and response (gpt-realtime-2) | Call audio (not stored) | United States — DPF / standard contractual clauses |
| OpenRouter | SMS text processing and onboarding website analysis; routes to model providers (Google, Anthropic) | Message text, knowledge base excerpts | United States — standard contractual clauses |
| Voyage AI | Knowledge base and search embeddings | Knowledge base text, search queries | United States — standard contractual clauses |
| WorkOS | Passwordless login | Email, name | United States — DPF / standard contractual clauses |
| Stripe | Payments and billing | Name, email, address, business ID (no card details to us) | United States / Ireland — DPF / standard contractual clauses |
| Resend | Email notifications to the owner | Recipient email, notification content | United States — standard contractual clauses |
The primary place of storage is application servers and a database located in Finland (within the EU/EEA). We may also disclose data to authorities where required by law.
9. Transfers outside the EU/EEA
Some of the processors listed above process data outside the EU/EEA, in particular in the United States. Transfers are based on the safeguards in Articles 44–46 of the GDPR: for processors certified under the EU–US Data Privacy Framework, the European Commission's adequacy decision (10 July 2023), and otherwise the European Commission's standard contractual clauses (SCCs).
10. Retention
- Account, knowledge base, call, and message data are retained for as long as the customer relationship is active.
- When an account is deleted, it is suspended immediately and all account data is permanently deleted after 14 days (an internal safety buffer in case of recovery).
- Billing and accounting records are retained for the period required by accounting law (generally 6 years).
- Call state is held in the server cache (Redis) only for the duration of the call with a short expiry; it is not retained permanently.
11. Your rights
As our business customer you have the rights under the GDPR: the right to access your data (Article 15), rectify inaccurate data (Article 16), erase data (Article 17), restrict processing (Article 18), data portability (Article 20), and object to processing (Article 21). Requests should be sent to [email protected].
If you called a business customer's number, that business is the controller. Address requests about your data to it first; we will forward requests to it as the processor.
You also have the right to lodge a complaint with the supervisory authority (GDPR Article 77). In Finland the supervisory authority is the Office of the Data Protection Ombudsman, tietosuoja.fi.
12. Data security
We protect data with technical and organisational measures. Traffic is encrypted in transit, per-customer access is isolated with database row-level security, and access to production systems is restricted.
13. Cookies and tracking
The website does not use advertising or tracking cookies. Browser local storage is used only for functional purposes, such as remembering the language selection and the login session.
14. Changes to this policy
We update this policy as needed. We will announce material changes in the service or by email.
Sources and legislation
- General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council
- AI Act, Article 50 — Regulation (EU) 2024/1689 (transparency obligations)
- Finnish Data Protection Act 1050/2018 — National law complementing the GDPR
- EU–US Data Privacy Framework — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023
- Standard contractual clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- Office of the Data Protection Ombudsman — Finnish supervisory authority