Last updated: 10 April 2026
1. Introduction
This Privacy Policy explains how Online Revenue Oy (“Kiito”, “we”, “us”, or “our”) processes personal data in connection with the Kiito.io service.
Kiito is a SaaS service for eCommerce analytics. We collect data from sources that our users authorize us to access, and analyse it on our own servers in order to provide analytics, reporting, and related service functionality.
We are committed to processing personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
2. Controller Information
Online Revenue Oy
Konepajankuja 1
00510 HELSINKI
Finland
Email: support@kiito.io
3. Scope of This Policy
This Privacy Policy applies to personal data processed in connection with:
- the Kiito website and service,
- customer accounts,
- integrations connected by users,
- analytics and reporting generated through the service,
- customer support and service communications,
- security, maintenance, and compliance activities.
4. What Data We Process
Depending on how the service is used, we may process the following categories of data:
4.1 Account and Contact Data
- name
- email address
- company details, including name and address
- account login and authentication-related information
- billing and subscription-related information
4.2 Integration and Connection Data
When users connect external platforms and services to Kiito, we may process:
- API credentials, access tokens, refresh tokens, and similar authorization data
- integration settings and technical connection metadata
User credentials stored by us are encrypted in our database.
4.3 Analytics and Business Data
We collect and process analytics and business performance data from sources authorized by the user, such as:
Advertising platforms
- Meta
- TikTok
- X
- Google Ads
Analytics sources
- Google Analytics
eCommerce platforms
- WooCommerce
- Shopify
This data may include, for example:
- campaign and ad performance metrics
- traffic and attribution data
- sales and order totals
- product and category performance
- store-level or channel-level performance data
- aggregated conversion and revenue data
4.4 Technical and Usage Data
We may also process:
- IP address
- browser and device information
- log data
- service events
- access timestamps
- usage statistics
- error and diagnostic data
4.5 Support and Communication Data
If you contact us, we may process:
- your name and contact details
- message contents
- support history
- information needed to investigate or resolve your request
5. Nature of the Analytics Data
Kiito is designed to process analytics data primarily in a way that does not identify individual natural persons. Our purpose is to provide business analytics and reporting at an aggregated or otherwise non-personalized level wherever possible.
We do not use the service to identify individual consumers or website visitors. Our aim is to process data in a form where single people cannot reasonably be identified from the analytics outputs we provide.
However, some source systems connected by users may contain data that is considered personal data under applicable law. Where that is the case, we process such data only as necessary to provide the service, maintain security, and fulfil legal obligations.
6. Sources of Data
We collect personal data from:
- users directly, when they create an account or contact us,
- integrations and third-party platforms that users authorize us to access,
- technical systems used to operate, secure, and monitor the service.
We only fetch data from sources for which the user has granted permission or otherwise configured a connection.
7. Purposes of Processing
We process personal data for the following purposes:
- to provide the Kiito service
- to connect and maintain authorized data source integrations
- to host, organize, and analyse eCommerce and marketing analytics data
- to generate dashboards, reports, and insights
- to administer user accounts and subscriptions
- to provide customer support
- to secure the service, detect misuse, and prevent unauthorized access
- to maintain, troubleshoot, and improve the service
- to comply with legal obligations
- to establish, exercise, or defend legal claims
8. Legal Bases for Processing
Under GDPR, processing must rely on a valid legal basis. Depending on the context, Kiito processes personal data on one or more of the following bases:
8.1 Performance of a Contract
We process personal data where necessary to provide the Kiito service, manage the customer relationship, and perform our contractual obligations.
8.2 Legitimate Interests
We may process personal data where necessary for our legitimate interests, such as:
- securing the service and preventing abuse
- improving performance and reliability
- providing customer support
- internal administration
- limited business analytics regarding service operation
Where we rely on legitimate interests, we assess that such interests are not overridden by the rights and freedoms of the individuals concerned. Legitimate interest is a recognized GDPR legal basis, but it requires balancing against the individual’s rights.
8.3 Legal Obligation
We may process personal data where necessary to comply with applicable legal obligations, including accounting, tax, and regulatory requirements.
8.4 Consent
Where required by law, we rely on consent, for example for certain optional communications or processing activities where consent is the appropriate legal basis.
9. Controller and Processor Roles
The role of Kiito may vary depending on the processing activity.
9.1 When Kiito Acts as Processor
In most cases, when Kiito processes data from integrations connected by a customer for the purpose of providing the analytics service to that customer, the customer acts as the data controller and Kiito acts as the data processor on the customer’s behalf.
In these situations, we process data only in accordance with the customer’s instructions and the applicable agreement between us and the customer.
9.2 When Kiito Acts as Controller
Kiito acts as an independent data controller for certain processing activities, such as:
- account administration
- billing and subscription management
- service security
- support communications
- legal compliance
- internal records related to operating our business
GDPR requires processor relationships to be governed by a binding arrangement setting out the required elements of processing.
10. Data Storage and Security
We host customer data in the European Union.
We use appropriate technical and organizational measures to protect personal data, including:
- encryption of stored credentials and sensitive connection secrets
- access controls and role-based restrictions
- limited staff access to user data
- logging and monitoring of access and system events
- secure infrastructure and server management practices
- measures designed to prevent unauthorized access, alteration, disclosure, or destruction of data
Our staff handles data with maximum care, and access to user data is restricted to authorized personnel with a legitimate need to access it.
11. Data Sharing and Disclosure
We do not sell personal data.
We may share personal data only where necessary with:
- infrastructure and hosting providers
- technical service providers and subprocessors used to operate Kiito
- payment, support, or security service providers
- competent authorities, where required by law
- professional advisers where necessary for legal, accounting, or compliance purposes
Where third parties process personal data on our behalf, we require appropriate contractual and data protection safeguards.
12. International Data Transfers
Our primary hosting is in the EU. However, some of the third-party platforms connected by users, or some of our service providers, may involve processing or access outside the European Economic Area.
Where personal data is transferred outside the EEA, we will ensure that an appropriate safeguard under GDPR is in place, such as:
- a European Commission adequacy decision, or
- Standard Contractual Clauses (SCCs), where applicable.
13. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including:
- for as long as the customer account remains active,
- for as long as needed to provide the service,
- for as long as necessary to comply with legal, tax, accounting, or regulatory requirements,
- for as long as necessary to resolve disputes, enforce agreements, or protect our legal rights.
When data is no longer needed, we delete it or anonymize it where appropriate.
14. Data Subject Rights
Where GDPR applies, individuals may have the following rights, subject to applicable limitations:
- right of access
- right to rectification
- right to erasure
- right to restriction of processing
- right to data portability
- right to object to certain processing
- right to withdraw consent at any time, where processing is based on consent
- right to lodge a complaint with a supervisory authority
Under GDPR, some rights depend on the legal basis being used. For example, the right to object is specifically tied to processing based on legitimate interests or public-interest grounds, and portability applies in certain cases such as contract or consent.
Requests regarding personal data can be sent to: support@kiito.io
If Kiito acts only as a processor for the relevant data, we may direct the request to the relevant customer as controller, or assist the customer in responding as required.
15. Cookies and Similar Technologies
Kiito uses cookies and similar technologies that are necessary for operating the service, such as login sessions, security, preferences, and basic service functionality.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will publish the updated version on our website and update the “Last updated” date above.
17. Contact
If you have any questions about this Privacy Policy or our processing of personal data, please contact:
Online Revenue Oy
Konepajankuja 1
00510 HELSINKI
Finland
Email: support@kiito.io