Privacy Policy

1. Introduction

ActiveShift Oy ("ActiveShift", "we", "us", or "our") operates the HIKI platform at gethiki.com (the "Platform"). HIKI is an online marketplace that connects users ("Users" or "you") with independent providers of physical activities such as fitness classes, outdoor sports, and wellness sessions ("Providers").

This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Platform. It applies to all visitors, registered Users, guest Users who book without an account, and Providers.

ActiveShift Oy (Business ID: 3484874-7, Varputie 2 E, 02270 Espoo, Finland) is the data controller responsible for processing your personal data within the meaning of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). We process personal data in accordance with the GDPR, the Finnish Data Protection Act (tietosuojalaki 1050/2018), the Digital Services Act (Regulation (EU) 2022/2065, "DSA"), and other applicable data protection legislation.

We do not currently have a Data Protection Officer (DPO). For all data protection inquiries, please contact us at privacy@gethiki.com.

2. What Personal Data We Collect

The data we collect depends on how you interact with the Platform. We have designed the Platform to collect only data that is necessary for each purpose.

2.1 Data You Provide to Us

Account registration

• Email address
• Password (stored only as a cryptographic hash; we never store your password in readable form)
• Name (first and last), if you choose to provide it in your profile

If you register using Google Sign-In, we receive your name, email address, and profile picture from Google, as permitted by your Google account settings.

Booking and checkout

• Email address (required for both guest and authenticated bookings)
• First name and last name
• Billing address (street address, city, postal code, country)
• Activity selection, date, time, and number of participants

We do not collect or store your payment card number, expiry date, or CVC. These are submitted directly to our payment processor, Stripe, and never pass through our servers.

Provider registration (Providers only)

When you register as a Provider, we collect the following information through our multi-step onboarding process:

Organisation information: legal business name, registered business address (street address, city, postal code, and country), contact email address, contact telephone number, legal jurisdiction (country of establishment), and VAT registration number (for EU-based businesses), which is verified against the EU VIES system.

Public profile and venue details: public provider name, venue name, and venue address (street address, city, postal code, and country). Venue geographic coordinates (latitude and longitude) are derived automatically from the venue address you enter.

Payment account details are collected and managed by Stripe Connect during a dedicated onboarding step. We pre-fill certain information you have already provided (such as your legal business name, registered address, and VAT number) into the Stripe Connect form.

Self-certification: a timestamped record of your declaration that you will only offer services that comply with applicable EU and Finnish law, as required by the Digital Services Act, Article 30(1)(e).

Identity verification for Providers is conducted by Stripe as part of its regulated Know Your Customer (KYC) process. We receive a confirmation of verification status from Stripe but do not store copies of identity documents ourselves.

In accordance with the Digital Services Act, Article 30(7), certain Provider information is displayed to consumers on activity listing pages: your business name, city (from your registered business address), and a means of contacting you (your contact email address).

Communications

• Content of support emails you send to support@gethiki.com, legal@gethiki.com, or privacy@gethiki.com
• Content of any dispute you submit through the Platform

2.2 Data We Collect Automatically

Device and technical data

• Browser type and version, operating system, screen resolution
• IP address
• Referring URL and pages visited on the Platform

Platform usage events and local storage

We operate a first-party measurement system to understand how the Platform is used. This system records events about your interactions — for example, which activities you view, when you start a checkout, or when a booking is confirmed. To support this system, we store the following identifiers in your browser:

• Anonymous identifier — a randomly generated unique identifier stored in your browser's localStorage. This persists across browsing sessions and allows us to understand return-visit patterns. It is not linked to your name or email unless you are logged in.
• Session identifier — a randomly generated unique identifier stored in your browser's sessionStorage. This is created fresh each time you open a new browser tab and is discarded when you close it.
• UTM campaign parameters — if you arrive at the Platform via a marketing link, the campaign source, medium, and campaign name are stored in sessionStorage for the duration of that tab session.

Each measurement event includes: the event name and timestamp, the anonymous identifier, the session identifier, the page path, and any UTM parameters. This data is stored in our own database (Supabase, hosted in the EU). It is not sent to any third-party analytics service. We do not use Google Analytics or any equivalent third-party tracking tool.

Because the anonymous identifier and session identifier are stored in your browser's local storage (not cookies), they fall under Article 5(3) of the ePrivacy Directive (implemented in Finland by Act 917/2014, §205), which requires your consent for storing non-essential information on your terminal equipment. The anonymous identifier in particular is not strictly necessary to provide the Platform's core service — it serves our analytics purposes. We therefore require your consent before creating and storing these identifiers. See Section 8 for details on how we obtain and manage this consent.

Error and diagnostic data

We use Sentry, a third-party error monitoring service, to detect and diagnose software errors that occur while you use the Platform. When an error occurs, the following data may be automatically collected and sent to Sentry: the error message and stack trace, your browser type and version, operating system, device type, the URL where the error occurred, and your IP address (which Sentry uses to derive an approximate country-level location and then discards). This data is processed under our legitimate interest (Article 6(1)(f) GDPR) in maintaining a functional and reliable Platform. Error data is retained for 90 days.

Discovery context

When you set a search location and date range, we store this discovery context in your browser's localStorage so you do not lose your search criteria as you navigate between pages. This storage is strictly necessary to provide the search functionality you explicitly requested and does not require separate consent.

Location data

When you use the activity discovery feature, you may choose to share your device's geographic location with us via the browser's Geolocation API. This allows us to show activities within approximately 50 km of your location. Location sharing is entirely voluntary — the browser will always ask for your permission before sharing your coordinates, and you can enter a location manually instead.

We use your coordinates only to calculate proximity to activity venues during your current browsing session. We do not store precise geographic coordinates permanently. We do not track your movements or build a location history.

2.3 Data We Receive from Third Parties

• Google Sign-In: If you authenticate using Google, we receive your name, email address, and profile picture as described above.
• Stripe: We receive payment confirmation status, transaction identifiers, and fraud risk assessments from Stripe for completed bookings. We also receive Provider verification status from Stripe Connect.
• EU VIES system: We verify Provider VAT numbers against the European Commission's VAT Information Exchange System.

2.4 Data We Do Not Collect

We want to be clear about data we do not process:

• Health or medical data. Although the Platform concerns physical activities, we do not collect information about your health conditions, medical history, fitness levels, or biometric data. We do not request or require you to disclose any health-related information to use the Platform. We note that the Court of Justice of the European Union has adopted a broad interpretation of “data concerning health” under GDPR Article 9 (Case C-21/23, Lindenapotheke, 4 October 2024), under which data that could indirectly reveal health information through inference may qualify as special category data. A booking for a general fitness class (such as yoga or swimming) does not, in our assessment, reveal health data. However, if a Provider offers activities with an explicitly therapeutic or rehabilitative description (for example, “post-injury rehabilitation”), a booking for such an activity could arguably be linked to a health condition. We monitor our activity categories to ensure that no special category data is processed without a valid legal basis under Article 9(2). If you have concerns about the sensitivity of a specific booking, please contact us at privacy@gethiki.com.
• Advertising identifiers or third-party tracking. We do not serve advertisements, use advertising cookies, or share data with advertising networks or third-party analytics services.
• Finnish personal identity codes (henkilötunnus). We do not collect personal identity codes. Provider identification uses business-level identifiers (Y-tunnus / VAT number).

3. Why We Process Your Data and Our Legal Bases

Under the GDPR, we must have a valid legal basis for each processing activity. The table below sets out the purposes for which we process personal data, the data categories involved, and the legal basis we rely on.

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing assessment weighing our interests against your privacy rights. You have the right to object to processing based on legitimate interest (see Section 7).

Where we rely on consent (Art. 6(1)(a)), you can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. For analytics, use the consent controls described in Section 8. For geolocation, revoke permission in your browser settings or enter a location manually.

3.1 Whether Providing Your Data Is Required

In accordance with GDPR Article 13(2)(e), we inform you of the following:

Contractual requirement: Providing your email address, name, and billing address is a contractual requirement necessary to create an account and complete bookings. If you do not provide this data, we cannot provide the Platform's core services to you (account creation, booking, and payment processing).

Legal obligation: For Providers, providing business identification data (legal business name, registered address, VAT number, contact details) is required to comply with the Digital Services Act (Article 30, trader traceability) and Finnish tax legislation. If a Provider does not provide this data, we cannot permit them to list activities on the Platform.

Voluntary data: Geolocation data and analytics consent are entirely voluntary. You can use the Platform without sharing your location (by entering a location manually) and without consenting to analytics. Your access to Platform features is not conditioned on providing this data.

4. Who We Share Your Data With

We do not sell your personal data to anyone. We share data only as described below, and only to the extent necessary for each purpose.

4.1 Activity Providers

When you book an activity, we share your name and booking details (activity, date, time, number of participants) with the Provider so they can deliver the service. Providers process this data as independent data controllers for their own service delivery purposes. We advise you to review each Provider's own privacy practices.

4.2 Payment Processor — Stripe

All payments are processed by Stripe Payments Europe Limited (SPEL), an entity incorporated in Ireland and authorised as an Electronic Money Institution by the Central Bank of Ireland.

Stripe acts in a dual capacity: as our data processor when processing payment transactions on our instructions, and as an independent data controller for its own purposes including fraud prevention, anti-money laundering compliance, and regulatory obligations. We share your name, email, billing address, and transaction details with Stripe.

Stripe's privacy policy is available at stripe.com/privacy.

4.3 Infrastructure and Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf under written data processing agreements (GDPR Article 28):

We do not use any third-party analytics services. Our measurement system is first-party: usage events are stored directly in our own Supabase database (hosted in the EU) and are not transmitted to Google Analytics, Meta, or any other third-party tracking platform.

4.4 Legal Disclosures

We may disclose your personal data if we believe in good faith that disclosure is necessary to comply with a legal obligation (such as a court order or regulatory request), protect our legal rights or the rights of others, or investigate fraud or security incidents. We will notify you of such disclosures to the extent permitted by law.

4.5 Business Transfers

If ActiveShift Oy is involved in a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy and will ensure the successor is bound by terms at least as protective as this policy.

5. International Data Transfers

We store and process your personal data primarily within the European Union (EU) and European Economic Area (EEA). Our primary database is hosted in the EU (Stockholm, Sweden).

Some of our service providers are based in or have infrastructure in the United States. When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V:

• EU-US Data Privacy Framework (DPF): The European Commission adopted an adequacy decision for the EU-US DPF on 10 July 2023 (Commission Implementing Decision (EU) 2023/1795). Stripe, Resend, and Vercel are certified under the DPF. We rely on this adequacy decision as the primary transfer mechanism for these providers.
• Standard Contractual Clauses (SCCs): We maintain SCCs (Commission Implementing Decision (EU) 2021/914) as a supplementary safeguard with all US-based processors, including those certified under the DPF. For Supabase, which is not DPF-certified, SCCs serve as the primary transfer mechanism, supplemented by additional safeguards including EU-region hosting (Stockholm) and encryption at rest and in transit.

You can contact us at privacy@gethiki.com for more information about the specific safeguards applied to any transfer.

6. How Long We Keep Your Data

We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law. When the retention period expires, we delete or anonymise the data.

When you request account deletion, your account is immediately deactivated (you cannot log in or make bookings). We apply a 30-day grace period before permanent deletion to protect against accidental account loss; during this period you may cancel the deletion and reactivate your account. After the 30-day grace period, we permanently delete all data not required by law. Data that must be retained for legal compliance (such as transaction records for accounting purposes) is moved to a restricted-access archive accessible only for legal compliance, and is automatically deleted when the statutory retention period expires.

7. Your Rights Under the GDPR

As a data subject, you have the following rights. You can exercise any of these rights by contacting us at privacy@gethiki.com. We will respond within one month (extendable by two months for complex requests, with notice to you).

Right of access (Article 15)

You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data in a commonly used electronic format.

Right to rectification (Article 16)

You may request correction of inaccurate personal data or completion of incomplete data. You can also update your name and billing information directly in your account settings.

Right to erasure (Article 17)

You may request deletion of your personal data where it is no longer necessary for the purposes it was collected, you withdraw consent (where consent was the basis), you object to processing and we have no overriding legitimate grounds, or the data has been unlawfully processed. We may retain data required by law (see Section 6).

Right to restriction of processing (Article 18)

You may request that we limit the processing of your data while we verify its accuracy, assess an objection you have raised, or where the processing is unlawful but you prefer restriction over deletion.

Right to data portability (Article 20)

For data you provided to us that we process based on consent or contract performance by automated means, you may request a copy in a structured, commonly used, machine-readable format (such as JSON or CSV), and have it transmitted to another controller where technically feasible.

Right to object (Article 21)

You have the right to object to processing based on our legitimate interests (currently: platform security and fraud prevention, and defence of legal claims in support/dispute correspondence). We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to withdraw consent

Where we process data based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Consent applies to:

• Analytics: Withdraw via the consent controls described in Section 8. When you withdraw, we delete the analytics identifiers from your browser and cease recording measurement events for your session.
• Geolocation: Revoke permission in your browser settings, or simply enter a location manually.

Right to lodge a complaint

If you believe our processing of your personal data infringes data protection law, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

Lintulahdenkuja 4, 00530 Helsinki, Finland

Website: tietosuoja.fi

Email: tietosuoja@om.fi

We encourage you to contact us first at privacy@gethiki.com so we can try to resolve your concern directly.

8. Cookies, Local Storage, and Consent

The ePrivacy Directive (2002/58/EC, Article 5(3)), implemented in Finland by the Act on Electronic Communications Services (917/2014, §205), requires prior informed consent before storing or accessing non-essential information on your device. The EDPB confirmed in Guidelines 2/2023 (adopted October 2024) that this rule applies not only to cookies but also to localStorage, sessionStorage, and other client-side storage mechanisms.

8.1 Strictly Necessary Storage (No Consent Required)

The following storage is essential for the Platform to function and is exempt from the consent requirement:

8.2 Analytics Storage (Consent Required)

The following storage supports our first-party measurement system and requires your consent before we create or access it:

8.3 How We Obtain and Manage Consent

When you first visit the Platform, you will see a consent banner that clearly explains our use of analytics storage. You may accept or reject analytics. Your choice is respected immediately:

• If you accept: We create the anonymous and session identifiers and begin recording measurement events for your session.
• If you reject: No analytics identifiers are created, no measurement events are recorded, and the Platform functions normally in all other respects.

You can change your preference at any time by clicking "Cookie Settings" (or equivalent) in the website footer. When you withdraw consent, we delete the analytics identifiers from your browser storage and stop recording events. Withdrawal does not affect the lawfulness of events recorded while consent was active.

Cookie and storage consent on the HIKI website is supervised by the Finnish Transport and Communications Agency (Traficom) under §205 of the Act on Electronic Communications Services (917/2014). The GDPR consent standard (Article 4(11)) applies to the quality of consent required.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS/SSL
• Encryption of data at rest in our database
• Row-level security (RLS) policies in our database ensuring users can only access their own data
• Password hashing — we never store passwords in readable form
• Restricted access to personal data — only authorised personnel and service providers who need the data to perform their duties have access
• Guest checkout tokens are stored as SHA-256 hashes, not in plaintext
• Supabase SOC 2 Type II certification for our database infrastructure

No system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Finnish Data Protection Ombudsman without undue delay and within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly (GDPR Article 34).

10. Children and Minimum Age

The Platform is intended for users aged 16 years or older. If you are under 16, you may not create an account or use the Platform. While the Finnish Data Protection Act sets the age of digital consent at 13 (Section 5), our Terms of Service set the minimum age at 16 for contractual and safety reasons.

If we become aware that we have collected personal data from a person under 16 without appropriate authorisation, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@gethiki.com.

11. Automated Decision-Making and Profiling

We do not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you (GDPR Article 22).

We use algorithmic sorting to order activity listings in discovery results. This ranking affects the display order but does not restrict your access to any listing, and does not produce legal or similarly significant effects. The parameters used for ranking are described in our Terms of Service. You can re-sort results manually using the sort and filter controls provided.

12. Digital Services Act — Privacy-Related Obligations

As an online marketplace under the DSA (Regulation (EU) 2022/2065), we are subject to specific obligations that interact with data protection law. The EDPB confirmed in Guidelines 3/2025 that the DSA does not override or replace the GDPR — both apply in full.

Provider data and trader traceability

The DSA requires online marketplaces to collect and verify certain trader information before allowing listings (Article 30). We currently collect and verify Provider business names and VAT numbers as part of our onboarding process. As we extend our Provider onboarding to collect additional fields required by DSA Article 30 (such as registered business address, telephone number, and trade register number), we will update this Privacy Policy accordingly. DSA Article 30 creates a legal obligation (GDPR Article 6(1)(c)) that serves as the legal basis for this future collection.

Protection of minors (DSA Article 28)

We do not serve advertising, and therefore do not profile minors (or any users) for advertising purposes. Our minimum age requirement of 16 and our avoidance of advertising-related data processing serve the objectives of DSA Article 28.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you by posting the updated policy on the Platform with a new "Last updated" date. For significant changes, we may also notify you by email.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes become effective signifies your acknowledgement of the updated policy. If you do not agree with any update, you should stop using the Platform and may request deletion of your account.

Previous versions of this Privacy Policy are available upon request.

14. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

Data protection inquiries: privacy@gethiki.com

General support: support@gethiki.com

Legal matters and content reports: legal@gethiki.com

Postal address:

ActiveShift Oy

Varputie 2 E

02270 Espoo, Finland

Business ID: 3484874-7

ActiveShift Oy is the data controller responsible for processing your personal data as described in this Privacy Policy.