RFQ Link

Privacy Policy

Last updated: 2026-01-14

1. Introduction

Wooli Oy (“Wooli”, “we”, “us”, or “our”) operates the RFQ Link service. We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). This Privacy Policy explains what personal data we collect, why we collect it, how we use and disclose it, how long we keep it, and the rights available to you.

Data controller

  • Wooli Oy (registered in Finland) — address: [insert registered address].
  • Contact for privacy requests and data subject requests: use our dedicated webform at [insert data subject request form URL]. We will use that form to verify and process requests.

Scope

This policy applies to all users of RFQ Link (buyers, suppliers, account administrators), visitors to our website, and other persons whose data we process in connection with our Services.

2. Categories of Personal Data We Collect

We collect the following categories of personal data in connection with providing the Services:

A. Account and identity data

  • Examples: name, business name, job title, email address, phone number, organisation details, username, password (hashed), billing address, VAT or tax identifiers.
  • Collected: when you register, create a profile, or verify your account.

B. RFQ, bid and transaction data

  • Examples: RFQ content, item descriptions, bid amounts, attachments, selection outcomes, purchase orders, invoices, contractual terms, communications exchanged between users.
  • Collected: when you create RFQs, submit bids, accept offers, or use transactional features.

C. Usage and technical data

  • Examples: IP address, device and browser type, operating system, pages visited, session timestamps, feature usage, clickstream, cookies, server logs, crash logs.
  • Collected: automatically when you use the Services.

D. Payment and billing data

  • Examples: payment tokens, transaction identifiers, billing amounts, invoice history.
  • Payments are processed by Stripe; we do not store full card numbers unless explicitly required and explicitly disclosed.

E. Support and communications data

  • Examples: correspondence with support, feedback, survey responses, and records of interactions with our customer success or sales teams.

F. Marketing and preference data

  • Examples: communication preferences, marketing opt-ins/opt-outs.

G. Sensitive categories

We do not intentionally collect special category data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, health data). Do not submit such data through the Services. If we become aware we processed such data inadvertently, we will delete it unless retention is required by law.

3. How We Use Your Personal Data and Legal Bases

We process personal data to provide and improve the Services, for legitimate business operations, and to meet legal obligations. The legal bases for processing under GDPR include performance of a contract, legitimate interests, compliance with a legal obligation, and consent where required.

Typical purposes and legal bases:

  • To provide, operate, and maintain the Services (performance of a contract).
  • To create and manage user accounts, authentication, and account recovery (performance of a contract; legitimate interests).
  • To facilitate RFQ posting, bidding, quoting, and transactions between users (performance of a contract).
  • To process payments and issue invoices (performance of a contract; legal obligation for accounting/tax).
  • To communicate with you about your account, transactions, and service updates (performance of a contract; legitimate interests).
  • To prevent fraud and abuse and to maintain platform security (legitimate interests).
  • To analyze usage, improve, and personalise the Services (legitimate interests; where required, consent).
  • For marketing communications where you have consented (consent). You may withdraw consent at any time.
  • To comply with legal obligations and respond to lawful requests by public authorities (legal obligation).

4. Sharing and Disclosure of Personal Data

We do not sell personal data. We share personal data only as described below or with your consent.

  • Service providers and subprocessors: We engage third-party providers to perform services on our behalf (hosting, analytics, email delivery, payment processing). These vendors process data under contract and only per our instructions. Current notable processors include:
    • Stripe (payment processing)
    • [Insert hosting provider — e.g., AWS / DigitalOcean / other — add specifics]
    • [Insert analytics / email delivery providers if used]
    Please contact us via the webform for a current list of processors.
  • Platform users: RFQs, bids, attachments, and messages you post on the platform are visible to other users where required for the functionality of the service (for example, suppliers can view RFQs posted by buyers to submit bids). Do not post confidential personal data unless necessary and authorised by relevant policies or agreements.
  • Legal and safety disclosures: We may disclose personal data to comply with applicable law, legal process, or government request; to detect, prevent, or otherwise address fraud, security or technical issues; or to protect Wooli’s rights, property, or the safety of users.
  • Business transfers: In the event of a merger, sale, or acquisition of all or part of Wooli or our assets, personal data may be transferred as part of that transaction. We will provide notice and contractual protections as required.
  • Affiliates: We may share data with our corporate affiliates for business purposes where necessary.

5. International Transfers and Safeguards

Wooli operates from Finland and may transfer personal data to countries outside the European Economic Area (EEA), including to the United States, in connection with subprocessors (e.g., Stripe or hosting/analytics providers). Where personal data is transferred outside the EEA, we use appropriate safeguards such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission, and/or
  • Other lawful transfer mechanisms under GDPR.

You can request details of the transfer mechanisms and subprocessors via the data subject request webform.

6. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy, to satisfy legal obligations, to resolve disputes, to enforce agreements, and to maintain security. Typical retention periods:

  • Account data: retained for the duration of the active account and for up to [24 months]* after account termination for backup, fraud prevention, and to fulfil legal obligations.
  • RFQ, bid, and transaction data: retained for [6–10 years]* where necessary to meet contractual, accounting, tax, or audit obligations; adjust according to applicable laws and customer agreements.
  • Support and communications records: retained for [12–36 months]*.
  • Log files and technical monitoring data: retained for a limited period (typically [6–24 months]*), subject to operational and security needs.

[*Fill the bracketed retention periods according to company policy and applicable Finnish retention requirements; the suggested ranges reflect common practice. If you want, I can recommend specific retention periods based on your business requirements.]

7. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Services, improve user experience, and for analytics and marketing. Categories include:

  • Strictly necessary cookies — required for core functionality.
  • Performance and analytics cookies — to measure and improve site performance.
  • Marketing cookies — to support personalised advertising and tracking.

You will be presented with a cookie consent banner on first visit where required by law. You may manage or withdraw cookie consent via our Cookie Settings page or through your browser settings. Note that blocking cookies may affect functionality.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption for data in transit;
  • Access controls, multi-factor authentication for administrative access where feasible;
  • Regular patching and vulnerability management;
  • Logging and monitoring for suspicious activity; and
  • Contracts with subprocessors requiring appropriate security measures.

Despite our security practices, no system is infallible. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the applicable supervisory authority (Finnish Data Protection Authority, Tietosuojavaltuutetun toimisto) and affected data subjects where required by law.

9. Your Rights and How to Exercise Them

Under the GDPR and applicable Finnish law, you have rights in relation to your personal data, subject to certain conditions:

  • Right of access: request access to the personal data we hold about you.
  • Right to rectification: ask us to correct inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”): request deletion of personal data where legal grounds permit.
  • Right to restriction of processing: request limits on processing in certain circumstances.
  • Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent: where processing is based on consent, withdraw that consent.
  • Right to lodge a complaint with a supervisory authority: if you believe your rights have been violated, you may file a complaint with the Data Protection Ombudsman in Finland (Tietosuojavaltuutetun toimisto) or another competent supervisory authority.

To exercise any rights, use our data subject request webform at [insert data subject request form URL]. We may require proof of identity to verify requests and will respond within GDPR timeframes (normally one month, extended where permitted by law).

10. Minors

The Services are not intended for children under 16 (or the minimum age required in the user’s jurisdiction). We do not knowingly collect personal data from minors. If we learn we have collected personal data of a minor, we will take steps to delete it. If you believe we have collected data from a minor, please contact us via the webform.

11. Third-Party Links and Integrations

The Services may contain links to third-party websites, widgets, or integrations that are not operated by Wooli. This Privacy Policy does not cover those third parties. We recommend that you review the privacy policies of those services before providing personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or Services. We will post the revised policy with an updated “Last updated” date and, where required by law, provide additional notice (for example, email to account holders). Continued use of the Services after changes are posted constitutes acceptance of the revised policy.

13. Contact and Supervisory Authority

For questions about this Privacy Policy or to make a data subject request, use our webform at: Link to our support form.

Supervisory authority (Finland)

  • Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
  • Website: https://tietosuoja.fi/en/home
  • Address and contact details: see the Ombudsman’s website for current contact information.

14. Additional Finland/EU Notes

  • Legal basis and data transfers: For transfers outside the EEA we use SCCs or other lawful safeguards. You can request a copy of the safeguards via the webform.
  • Records of processing: Wooli maintains records of processing activities as required under GDPR for our business operations.