Riville
To homepage

Privacy Policy

Updated 2.5.2026

This privacy policy describes how MiMa Works Oy (hereinafter “we”) processes personal data in the Riville service (hereinafter “Service”) in accordance with the EU General Data Protection Regulation (GDPR) and Finnish data protection law.

1. Data Controller

MiMa Works Oy (Y-tunnus 3618866-6)
Email: tuki@riville.app

2. Personal Data Processed

  • Account information: name, email address, password hash, role (employee/supervisor/admin).
  • Company and employment information: employer company name, worksites, pay types.
  • Usage data: recorded work hours, breaks, equipment, kilometers driven, additions and compensations.
  • Technical data: IP address, browser, device information, log data, and session data.
  • Billing information: subscription details and payment transaction references (actual payment card data is processed by the payment service provider).
  • Company identification and brand materials: company name, business ID, address, contact details, and uploaded logo used in the headers and footers of PDF reports.

3. Purposes and Legal Bases for Processing

  • Provision of the Service and fulfillment of contractual obligations (GDPR 6.1 b).
  • Billing, accounting, and statutory obligations (GDPR 6.1 c).
  • Service data security, prevention of misuse, and development based on legitimate interest (GDPR 6.1 f).
  • Customer communication and marketing with consent (GDPR 6.1 a) or based on legitimate interest for existing customers.
  • Generating PDF and CSV reports and invoice attachments using the customer's own company information and logo (GDPR 6.1 b).

4. Data Sources

Personal data is obtained from the user themselves, their employer (for example, when a supervisor invites an employee to the Service), and as log data generated from the use of the Service.

5. Data Disclosure and Transfers

We do not sell personal data. We use reliable subcontractors who act as personal data processors:

  • Cloud and database services (Service hosting, within the EU/EEA or with an equivalent level of protection).
  • Payment services (Stripe Payments Europe, Ltd.) for billing subscriptions.
  • Email services for sending transactional messages and confirmations.

Any transfers outside the EU/EEA are made under EU standard contractual clauses or other GDPR-approved protection mechanisms.

6. Retention Periods

  • Account information: for the duration of the subscription and a reasonable period after its termination.
  • Work hour entries and related compensations: at least as long as required by law (e.g., Accounting Act 6 years from the end of the calendar year in which the financial year ended).
  • Logs: typically up to 12 months, unless longer retention is required for data security reasons.
  • Company information and logo: retained for as long as the account is active and deleted when the account is removed.

7. Data Subject Rights

  • Right to access data and obtain a copy.
  • Right to rectification and completion of data.
  • Right to erasure of data (“right to be forgotten”) when conditions are met.
  • Right to restriction of processing or objection to processing.
  • Right to data portability.
  • Right to withdraw consent.
  • Right to lodge a complaint with a supervisory authority (Data Protection Ombudsman, tietosuoja.fi).

Requests can be sent via email to tuki@riville.app. We may request identification before processing the request.

8. Data Security

We protect data with appropriate technical and organizational measures: encrypted connections (TLS), password hashing, role-based access control, and row-level security (RLS).

9. Changes

We may update this statement as the Service or legislation changes. Significant changes will be announced within the Service.