Privacy Policy – Viio SaaS Management Platform

Last updated: 01.11.2025

Controller: Viio Technologies ApS

Address: Dampfærgevej 27–29, 5. sal, 2100 Copenhagen, Denmark

Contact: privacy@viio.io

This Privacy Policy explains how Viio Technologies ApS (“Viio”, “we”, “us” or “our”) processes personal data when you use the Viio SaaS Management Platform (“Platform”). It is designed to meet the requirements of the EU General Data Protection Regulation (GDPR).

This policy does not replace or modify any Data Processing Agreement (DPA) we may enter into with our customers. When we process personal data on behalf of our customers, the DPA governs those processing activities.

1. Roles Under GDPR

Viio acts in two different capacities depending on the type of data:

Data Controller

We act as a data controller for:

  • Account authentication and access (SSO)
  • Technical and analytics data collected within the Platform
  • Communication and support interactions

Data Processor

We act as a data processor when we process customer personal data (employee information) retrieved from connected SaaS applications. In those cases, the customer is the data controller, and our processing is covered by the applicable DPA.

2. Personal Data We Collect

A. Account & Authentication Data (Controller)

We provide multiple authentication options to access our platform:

  • Direct OAuth authentication via Google or Microsoft accounts
  • SSO authentication through your organization’s identity provider (e.g., Okta, Azure AD, Google Workspace, JumpCloud)

Through these authentication methods, we may receive:

  • Name
  • Email address
  • Organization/domain
  • User role or directory attributes (depending on your IdP configuration)

We do not process or store passwords.

B. Connected SaaS Application Data (Processor)

When your organization connects third-party SaaS apps to the Platform, we process:

  • User lists
  • License and subscription data
  • Usage activity and events

This data is processed solely to deliver the core Platform functionality.

C. Technical & Usage Data (Controller)

We automatically collect technical data such as:

  • IP address
  • Device and browser information
  • Feature and usage analytics
  • Error logs and diagnostic information

This data helps us secure, maintain, and improve the Platform.

3. Purposes of Processing

We process personal data for:

  • User authentication and secure access
  • SaaS discovery and automated data collection
  • Generating reports and dashboards
  • License and cost optimization
  • Platform security, monitoring, and fraud prevention
  • Providing customer support
  • Improving functionality and developing new features

4. Legal Bases for Processing

Our processing relies on:

  • Performance of a contract
  • Legitimate interests (security, analytics, product improvement)
  • Compliance with legal obligations
  • Customer instructions when acting as a processor

5. Subprocessors & Third-Party Services

We use trusted providers including:

  • Cloud hosting: Amazon Web Services (AWS)
  • Database and storage providers
  • Analytics providers: Rudderstack, Amplitude
  • Email delivery services
  • Authentication providers (Microsoft, Google, and other SSO providers)

All subprocessors operate under GDPR-compliant agreements including SCCs where required.

6. Data Retention

We retain data only as necessary:

Technical logs

  • Application and service logs: 30 days
  • Network access logs: 12 months (compliance requirement)

Network logs contain technical metadata only and are not linked to individual users.

Other data

  • Backups: 12 months
  • Account/SSO metadata: for the duration of the subscription
  • SaaS application data: per customer configuration or deleted upon termination

Retention may be extended where legally required.

7. International Data Transfers

When transferring data outside the EU/EEA, we rely on:

  • Standard Contractual Clauses (SCCs)
  • Encryption and additional safeguards

All transfers comply with GDPR Chapter V.

8. Security Measures

We apply strong security controls including:

  • Encryption in transit and at rest
  • Single Sign-On (SSO)
  • Penetration testing
  • Audit logging
  • Vulnerability scanning
  • SOC 2 Type II certified controls

9. User Rights (GDPR)

When acting as controller, users may:

  • Access their data
  • Request correction or deletion
  • Restrict or object to processing
  • Request data portability
  • Lodge complaints with authorities

When acting as processor, requests must be made to the customer organization.

Contact: privacy@viio.io

10. Cookies & Tracking

We use first-party cookies only for:

  • Authentication
  • Essential functionality
  • Product analytics

We do not:

  • Use third-party advertising cookies
  • Track across sites
  • Sell personal data

11. Children

The Platform is not intended for individuals under 16. We do not knowingly process children’s data.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated through the Platform or by email.

13. Contact Us

Viio Technologies ApS

Dampfærgevej 27–29, 5. sal

2100 Copenhagen, Denmark

Email: privacy@viio.io