Privacy Policy & Data Protection Statement
- Controller: Jutiland Ltd (“Jutiland”, “we”, “our”, “us”)
- Business ID (Y-tunnus): 3170110-9
- Registered address: Löwenkatu 2, 10300 Karjaa, Finland
- Privacy contact: privacy@jutiland.com
- Last updated: 21 July 2026
This statement explains how Jutiland Ltd processes personal data across its operations, website, and service offerings: our live production service (Jutiland) and our virtual event platform (Aula Events). It is written to meet the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Finnish Data Protection Act (1050/2018), and applies wherever our visitors, clients, and event attendees are located.
1. Our two roles: controller and processor
Our data protection responsibilities depend on whose data it is and who decided to collect it.
We are the data controller for personal data we collect for our own purposes:
- visitors to our website;
- our marketing, sales, and prospect contacts;
- our direct business clients (contract, billing, and relationship data).
We are a data processor for personal data we handle on behalf of a client running an event on the Aula Events platform. In that case the event-hosting organisation is the controller: they decide what attendee data is collected and why. We process that data only on their documented instructions, under a written Data Processing Agreement (GDPR Art. 28).
If you are an event attendee and want to exercise your rights, your request is usually directed to the organisation that hosted the event. We will help that organisation respond, and will pass your request to them without undue delay.
We are not required to appoint a Data Protection Officer and have not done so; data-protection matters are handled at privacy@jutiland.com.
2. Data we collect and why
We collect only the minimum personal data needed for each purpose. Each purpose has a legal basis under GDPR Art. 6.
| Personal data | Purpose | Legal basis (Art. 6) |
|---|---|---|
| Name, email, company, job title | Register you for an event we host; respond to enquiries; manage our client relationship | Performance of a contract / taking steps before a contract, Art. 6(1)(b); or legitimate interest in responding to you, Art. 6(1)(f) |
| Business contact details of prospects | Relevant B2B outreach about our services | Legitimate interest in marketing our services to relevant audiences, Art. 6(1)(f) |
| IP address, browser/device type, strictly necessary cookies, session logs | Keep your video session stable and secure; protect the platform | Legitimate interest in security and service operation, Art. 6(1)(f) |
| Optional analytics/usage data | Improve the platform (only if you consent) | Consent, Art. 6(1)(a) |
| Invoicing and accounting records | Meet statutory accounting obligations | Legal obligation, Art. 6(1)(c) (Finnish Accounting Act 1336/1997) |
| Event imagery and recordings featuring identifiable individuals | Use in Jutiland’s own marketing and references | Legitimate interest in showcasing our work; an identifiable individual may object, Art. 6(1)(f) |
For attendee data processed on the Aula Events platform on a client’s behalf, the legal basis is determined by that client as controller; we do not decide it.
Is providing data required? Giving your name and email is necessary to register you for an event or to respond to your enquiry; without it we cannot provide those services. Analytics and other optional data is never required, and you are under no statutory obligation to provide personal data to us.
3. Where the data comes from
We collect personal data:
- directly from you: when you register, contact us, or use the platform; and
- from an event host: when an organisation provides us with its attendee list so we can run their event. In that case the host is responsible for informing its attendees and for having a lawful basis to share the data with us (GDPR Art. 14).
4. Sub-processors (our tech stack)
To deliver virtual events and reliable video, we use specialised infrastructure and software providers. These act as our sub-processors (or, for our own controller data, as our processors). We enter into a Data Processing Agreement with each and rely on a lawful transfer mechanism where data leaves the EU/EEA.
We disclose our providers by category below, and name our principal infrastructure providers. A complete, current named sub-processor list is maintained separately and is available to clients on request; we keep it up to date rather than re-issuing this policy each time a provider changes.
| Category | Principal provider(s) | Purpose | Location & transfer mechanism |
|---|---|---|---|
| Event-registration software | OpnForm | Registration and attendee data collection | EU-hosted |
| Core cloud infrastructure | Amazon Web Services (AWS) | Video routing, media processing, storage | EU regions (e.g. Frankfurt/Stockholm) for European deployments |
| Real-time video/audio | 100ms | Live streaming infrastructure | EU workspaces for European deployments |
| Stream delivery & video data | Mux | Live delivery, optimisation, video analytics | USA: EU-US Data Privacy Framework (DPF) and EU Standard Contractual Clauses |
| Video playback / on-demand hosting | Livid | Playback engine and recorded-video hosting | USA: under Data Processing Agreement and EU Standard Contractual Clauses |
| Virtual venue front-end | BeHuman Communications Inc. | User interface and venue layout | Canada: EU adequacy decision (GDPR Art. 45) + Data Processing Agreement |
Other tools that process limited personal data (for example email, scheduling, file storage, payment, and accounting software) are listed in the separate named sub-processor list.
5. International data transfers
Where personal data is transferred outside the EU/EEA, we rely on one of the safeguards permitted under GDPR Chapter V:
- an adequacy decision by the European Commission (e.g. Canada, for PIPEDA-covered recipients, Art. 45);
- the EU-US Data Privacy Framework for certified US recipients; and/or
- Standard Contractual Clauses (Art. 46) with supplementary measures where needed.
You can request details of the safeguard applied to a specific transfer by contacting privacy@jutiland.com.
6. Data retention
We do not keep personal data longer than necessary:
- Event registration lists, interaction logs, and temporary chat: deleted or anonymised within 90 days after the event concludes (or sooner once no longer needed), unless the event host (as controller) instructs otherwise.
- Client contract and billing records: retained for 6 years as required by the Finnish Accounting Act.
- Marketing/prospect contacts: until you opt out or the contact is no longer relevant.
For data we process on a client’s behalf, retention follows that client’s documented instructions.
7. Security
We apply appropriate technical and organisational measures (GDPR Art. 32), including access control, encryption in transit, EU-region data residency where configured, and limiting personal data access to what is needed to run an event.
8. Your rights
Subject to the conditions in GDPR Articles 15-22, you have the right to:
- access a copy of your data and data portability (Arts. 15, 20);
- rectification of inaccurate data (Art. 16);
- erasure: the “right to be forgotten” (Art. 17);
- restriction of processing (Art. 18);
- object to processing based on legitimate interest, including direct marketing (Art. 21);
- withdraw consent at any time, where processing is based on consent, without affecting prior processing (Art. 7(3)).
We do not use solely automated decision-making or profiling that produces legal effects (Art. 22).
To exercise any right, contact privacy@jutiland.com. If your request concerns an event run by one of our clients, we will forward it to that client as the controller.
Right to complain. If you believe we have handled your data unlawfully, you may lodge a complaint with the Finnish supervisory authority, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi, tietosuoja@om.fi.
You may also contact the supervisory authority in your own EU/EEA country of residence.
9. Cookies
We use strictly necessary cookies to keep your video session working and secure; these do not require consent. Any analytics or non-essential cookies are used only with your consent, which you can give or withdraw via our cookie settings.
10. Children
Our services are intended for business and professional use and are not directed at children. We do not knowingly collect data from children under the age applicable in their country (13 in Finland under the Data Protection Act 1050/2018 § 5; GDPR Art. 8).
11. Changes to this policy
We may update this statement as our services or providers change. The “Last updated” date shows the current version; material changes will be communicated to affected clients.
12. Contact
Jutiland Ltd · Löwenkatu 2, 10300 Karjaa, Finland · privacy@jutiland.com