As part of the Finnpark Group’s efforts to clarify its business operations, the provision of the Moovy service has been transferred to Moovy Oy, a wholly owned subsidiary of Finnpark Oy. As a result, Moovy Oy has become the data controller of the Moovy service customer register, and both the privacy statement and the terms and conditions of the customer register have been updated. Personal data will continue to be processed according to the same principles as before, and the functionality, content, pricing, and terms of the Moovy service will remain unchanged. The change does not require any action from customers. The updated terms and privacy policy are available on the Moovy website: privacy statement, consumer contract terms and conditions, and corporate contract terms and conditions.

Privacy statement for the customer register of Moovy Oy

This privacy statement pursuant to Articles 13 and 14 of the General Data Protection Regulation (679/2016/EU) describes how the Controller processes personal data of Customers of the Moovy application and the Moovy online store.

Privacy policy last updated on 16 June 2026.

1. Contact details of the controller

Company name: Moovy Oy
Company postal address: P.O. Box 15, FI-33210 Tampere
Business ID: 3375902-1
Email: asiakaspalvelu@moovy.fi

2. Purpose of processing personal data

The purpose of processing of personal data in the Moovy Customer Register is to manage, ad-minister, and maintain the customer relationships of the Controller’s Customers who use the Moovy application and the Moovy online store; manage customer agreements, invoicing and charge information, and access rights; verify customer events; and administer access control devices. Personal data can also be processed for parking supervision purposes and for investi-gating possible abuses.

The purpose of processing personal data also includes developing the Controller’s customer service and business operations, as well as carrying out customer communications and mar-keting activities.

3. Personal data processed

The register consists of the data processed in the Controller’s parking management and customer information systems.

Personal data contained and processed in the Moovy Customer Register may include:

• vehicle registration number,
• the Customer’s name, address, telephone number, and email address,
• information on the services and products ordered and used by the Customer, the parking facility or area used by them, and their parking times
• billing and payment information, such as payment card number
• information on Moovy online store events
• in the case of electronic services, the user ID, password, and any other unique user ID; and
• records of customer service and complaint-related contacts.

In the event that an employer company acquires parking rights for its employees or visitors from parking locations whose parking management services are provided by the Controller, and a parking rights holder exercises said rights in the Moovy application, their personal data is processed on the basis of their Moovy application-based customer relationship. However, the employer company acts as a separate controller for the processing of personal data related to the sharing of parking rights. If the data subject wishes to receive detailed information on the related processing of their personal data, they may contact the controller in question.

4. Grounds for processing personal data

4.1. The Controller processes personal data on the basis of the Agreement (GDPR Article 6, section 1b) and the Customer’s consent (GDPR Article 6, section 1a) when the personal da-ta required for the implementation and use of the Moovy application are stored in the register. This information includes the Customer’s vehicle registration markings, which are linked to the Customer’s name and contact details; services and products ordered and used by the Customer; the Customer’s order, invoicing, and payment information; and the Customer’s user ID, password, and other possible unique identifier.

4.2. The Controller also processes personal data in connection with the Agreement and the Customer’s consent when vehicle registration data, the Customer’s parking location data, information on the parking facility or area used by the Customer, the date and time of the parking event, and the parking charge are processed for the purpose of managing access control related to the Customer’s parking event and storing the data in the parking event log.

4.3 The Controller also processes personal data on the basis of the Agreement and the Cus-tomer’s consent when personal data required for the use of the Moovy online store is stored in the register, which include the registration markings of vehicles reported by the Customer, which are linked to the email address provided by the Customer and the ser-vices or products ordered by the Customer and the related order, invoicing, and payment information. For electronic services, the user ID, password, and other potential unique identifier are stored.

4.4 Information related to the implementation of communications and customer service, such as recorded customer service calls, is also processed on the basis of the Agreement.

4.5 Based on consent, the Customer’s name and contact details may also be processed for the purpose of sending marketing bulletins. For data subjects who have consented to direct marketing, profiling may be used for targeted marketing purposes.

4.6 If the user of the Moovy application has given the application access to their mobile de-vice’s location services, personal data may also be processed on the basis of the Custom-er’s consent (GDPR Article 6, section 1a) for the provision of the Controller’s services and the optimisation of said services based on the user’s location.

4.7 Based on the Controller’s legitimate interest (GDPR Article 6, section 1f), the Customer’s name and contact details, vehicle registration markings, vehicle parking information, and order, invoicing, and payment information, as well as customer contact records, may be processed for the purpose of managing customer invoicing and safeguarding the Control-ler’s legal position On the basis of a legitimate interest, data may also be processed for the purposes of developing the Controller’s services and business, and for this purpose, the data may be anonymised and used in anonymised form.

4.8 In order to fulfil the Controller’s statutory obligations (Article 6, section 1c of the GDPR), personal data, such as data concerning the Customer’s payment transactions, is processed to the extent required by the Accounting Act of Finland.

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. However, the withdrawal of consent will not affect the lawfulness of the processing prior to the withdrawal of consent.

5. Regular sources of personal data

The regular and primary source of data is the data collected from the customers themselves. The processed personal data is collected from the data subjects themselves in connection with their registration in the Moovy application and their use of the application. Similarly, a Customer using the Moovy online store provides the personal data required for the use of the Moovy online store when using the Moovy online store’s services.

Customer data may also be collected from the Customer by telephone, feedback forms, the internet, email, or other similar means.

When the Customer uses a parking location that utilises the Moovy parking management system, vehicle registration markings are also collected using camera-based technology. Customer data may also be collected from the Controller’s other information systems using software-based cookies or technical devices or other similar technologies.

For the management of payment claims, the Controller receives information on the Customer’s payments for advance parking reservations from the Controller’s payment service provider.

In cases of suspected misuse, the contact details of the vehicle owner and holder may also be requested from the register maintained by Traficom.

6. Disclosures and transfers of personal data

Personal data contained in the register may be disclosed to the Controller’s partners. For example, in connection with online purchases, the registration number related to the parking right is disclosed to the owner of the parking location to which the parking right has been acquired. The owner of the parking location acts as an independent controller for the personal data file formed from the users of said parking location. If the data subject wishes to receive detailed information on the related processing of their personal data, they may contact the controller in question.

Data may also be disclosed to parking supervisors for parking supervision tasks and for determining the validity of the vehicle’s parking rights and, if necessary, to Traficom for determining the details of the vehicle and its owner or holder.

Register data can be disclosed to the authorities insofar as the authorities have the legal right to have them.

Personal data may, with the explicit consent of the data subject, be disclosed to third parties for direct marketing purposes, and for opinion polls, market surveys, or other similar surveys.

Personal data will not be disclosed except for the aforementioned purpose, unless otherwise provided by legislation.

Statistical service usage data may be disclosed to third parties in a format that does not allow for the identification of individual personal data. Personal data may be transferred to the Controller’s partners who process personal data on behalf of the Controller in accordance with the Controller’s instructions. The processor does not have the right to process personal data on their own behalf.

7. Transfer of data outside the EU or the EEA

The personal data processed by the Controller is stored on a server located within the area of the European Union. If personal data is transferred outside the European Union/European Eco-nomic Area (EU/EEA), for example when a service provider is located outside the EU/EEA, the Controller ensures that the data is transferred within the framework of applicable data protec-tion provisions, such as decisions on adequate levels of information security adopted by the EU Commission.

8. Cookies

The Controller’s website uses cookies. A cookie is a small text file that is downloaded to and stored on the user’s device, enabling the website administrator to identify frequent visitors to the website and generate aggregated information about visitors.

Cookies are used to improve the customer experience of using the services and to collect in-formation for analysis and marketing purposes. The cookie is stored on the mobile phone or computer used by the Customer. Cookies allow the Moovy service to identify the Customer’s mobile phone or computer.

Cookies can be used to customise the service to better meet the Customer’s needs. The Cus-tomer can choose to block or disable cookies. Blocking the use of cookies may interfere with the use and operation of the Moovy application or the Moovy online store or prevent their use.

9. Principles of register protection

The protection and processing of the data contained in the register complies with the provisions and principles of the General Data Protection Regulation and other data protection provisions as well as the regulations of authorities and good data processing practices. In addition, the Controller has an information security policy in place for the processing of personal data. The information security policy defines the principles by which data is processed and protected.

The register is maintained as a technical recording by the Controller or a party authorised by the Controller within the EU/EEA. The electronic material contained in the register is stored in databases that are protected against misuse and intrusion by firewalls, passwords, and other technical and application-based solutions at various levels that are commonly used in business operations.

The electronic register data is located in locked and supervised facilities protected by access control. Access to the register is controlled with user IDs and passwords. Access to the register is limited to individuals whose job description requires access to the register. The Controller’s personnel are under an obligation of confidentiality.

10. Data retention period

Personal data is only stored for the duration required for the purpose of the processing, or for as long as the Controller is required by law.

In general, the Customer’s personal data required for the use of the Moovy application and the Moovy online store is stored primarily for the duration of the customer relationship. At the end of the customer relationship, the personal data is primarily deleted within 90 days, and any information on parking events is anonymised.

If the Customer has not used the Moovy application for 24 months, the user account will be considered inactive and the related personal data will be deleted and the information on parking events will be anonymised within a reasonable amount of time.

As a general rule, customer service contact records are stored for 12 months, unless applicable legislation requires a longer storage period or the Controller has a legitimate interest in storing the data for a longer period.

At the end of the customer relationship or when the Customer submits a requests to the Controller for the deletion of their personal data, the personal data will be deleted, and any data on parking events will be anonymised.

However, if required by legislation, personal data may be stored for longer than the aforementioned periods, for example for up to 10 years from the end of the year of the parking event as required by the Accounting Act. The data may also be stored on the basis of the Controller’s legitimate interest, for example for the collection of payment claims or the processing of legal claims.

Anonymised data may be stored until further notice.

11. Direct marketing

With the data subject’s consent, the Controller may send notices to the data subject about the services and products provided by the Controller and customer bulletins related to the use of the services, and also transfer the data subject’s data to the Controller’s partners whose activities are in some way related to the Controller’s activities or offerings, so that they can send offers concerning their own activities to the data subject.

The data subject may withdraw their consent in the Moovy application or by contacting the Controller’s customer service.

12. Rights of the data subject

A data subject has the right to access their register data free of charge once a year. For more frequent exercise of the right of access, the Controller may charge a reasonable compensation covering any direct expenses to the Controller. A written request for access must be submitted to the Controller including the contact details mentioned above. Before disclosing the data, the identity of the data subject is checked to ensure that the data are not disclosed to a party that is not the data subject.

If the data subject finds that the personal data in the register is inaccurate, incomplete, or has been processed in violation of the purpose of the register or applicable legislation, the data subject may use the email address mentioned above to request the Controller to rectify, block, restrict, or erase the personal data in question.

If the processing of personal data is based on the data subject’s consent, the data subject may withdraw their consent at any time by notifying the Controller either through the Moovy application or via the Controller’s contact details provided above. As the use of the services provided by the Controller requires the processing of the data subject’s personal data, the data subject accepts that withdrawing their consent to the processing of their personal data may prevent the use of the service.

If the data subject finds that their rights under the EU General Data Protection Regulation have been violated, they have the right to lodge a complaint with the supervisory authority. The Finnish national supervisory authority is the Office of the Data Protection Ombudsman, whose contact details are:

Office of the Data Protection Ombudsman
P.O. Box 800, Lintulahdenkuja 4, FI-00531 Helsinki
Tel. +358 29 566 6700
tietosuoja@om.fi
www.tietosuoja.fi

13. Changes to the privacy statement

The Controller continuously develops its operations and therefore reserves the right to update this privacy statement. Updates may also be based on changes in legislation. In order to obtain up-to-date information on the processing of personal data, the Controller recommends that the content of the privacy statement is reviewed at regular intervals.

Other privacy statements