Privacy Notice
Last updated: 2026-01-15
1. Who We Are
Huisku Oy, operating under the brand name "Pacho" ("we", "us", "our"), is the data controller responsible for your personal data. We are a Finnish company registered under business ID 3508285-4, headquartered at Lapinlahdenkatu 16, 00180 Helsinki, Finland. We provide an AI-powered operations management platform designed for short-term rental and hospitality businesses.
2. Data We Collect
Account Information: Name, email address, phone number, company name, job title, and login credentials. Business Data: Property listings, booking information, task schedules, operational data, team member information, and service provider details you input into our platform. Payment Information: Billing address, payment method details (processed by our payment providers), and transaction history. Technical Data: IP address, device type, browser information, operating system, access times, and pages visited. Usage Data: Feature interactions, preferences, settings, and platform activity logs. Communication Data: Support inquiries, feedback, and correspondence with our team. Location Data: General location based on IP address; precise location only if you enable mobile location services.
3. How We Collect Data
We collect data directly from you when you create an account, use our platform, contact support, or communicate with us. We collect data automatically through cookies, analytics tools, and server logs when you interact with our services. We may receive data from third parties including property management systems you integrate, payment processors, and identity verification services.
4. Legal Bases for Processing
Under GDPR, we process your data based on: Contract Performance: To provide our platform services, process payments, and fulfill our obligations under your subscription agreement. Legitimate Interests: To improve our services, ensure platform security, prevent fraud, communicate service updates, and conduct business analytics. Our legitimate interests do not override your fundamental rights and freedoms. Consent: For marketing communications, certain cookies, and optional features. You can withdraw consent at any time. Legal Obligations: To comply with tax laws, court orders, regulatory requirements, and other applicable laws.
5. How We Use Your Data
We use your data to provide and maintain our platform services and features, process transactions and manage your subscription, communicate important service updates and notifications, respond to support requests and provide customer assistance, improve platform functionality based on usage patterns, ensure security and detect fraudulent or unauthorized activity, conduct analytics to understand user needs and preferences, fulfill legal and regulatory requirements, and with your consent, send marketing communications about new features or offers.
6. Data Sharing
We share data with service providers who help operate our platform (hosting, payment processing, analytics, customer support tools) under strict data processing agreements. We share data with integrated third-party services (property management systems, channel managers) when you enable such integrations. We may share data with professional advisors (lawyers, accountants, auditors) when necessary for business operations. We share data with authorities when required by law, court order, or to protect rights, safety, or property. We may share data with potential acquirers in connection with a merger, acquisition, or sale, with appropriate confidentiality protections. We do not sell your personal data to third parties.
7. AI and Automated Decision-Making
Our platform uses artificial intelligence and machine learning to optimize scheduling and task assignments, predict maintenance needs and inventory requirements, provide operational recommendations and insights, and automate routine workflows. These AI features are designed to assist, not replace, human decision-making. You can override automated suggestions at any time. We do not use fully automated decision-making that produces legal or similarly significant effects without human oversight.
8. Your Rights Under GDPR
You have the right to access and obtain a copy of your personal data, correct inaccurate or incomplete data, request deletion of your data ("right to be forgotten"), restrict how we process your data, receive your data in a portable format, object to processing based on legitimate interests, withdraw consent at any time without affecting prior processing, and lodge a complaint with a supervisory authority. To exercise these rights, contact us at privacy@pacho.io. We will respond within 30 days.
9. Cookies and Tracking
We use essential cookies required for platform functionality and security, performance cookies to understand how users interact with our platform, and functionality cookies to remember your preferences and settings. You can manage cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may affect platform functionality. For details, see our Cookie Policy.
10. Data Retention
We retain your personal data for as long as your account is active and as necessary to provide services. After account termination, we retain account data for up to 3 years to comply with legal obligations, resolve disputes, and enforce agreements. We retain financial records for 7 years as required by Finnish tax law. We retain anonymized analytics data indefinitely for business insights. You may request earlier deletion subject to our legal retention obligations.
11. Data Security
We implement industry-standard security measures including encryption of data in transit (TLS 1.3) and at rest (AES-256), multi-factor authentication options, regular security audits and penetration testing, access controls limiting data access to authorized personnel, secure data centers with physical access controls, and employee security training and confidentiality agreements. While we take extensive measures to protect your data, no system is completely secure. We will notify you and relevant authorities of any data breach as required by law.
12. International Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA). When this occurs, we ensure appropriate safeguards through Standard Contractual Clauses approved by the European Commission, adequacy decisions for countries with equivalent data protection, and binding corporate rules where applicable. You can request information about the specific safeguards applied to your data.
13. Children's Data
Our services are designed for business use and are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from someone under 16, we will delete it promptly. Please contact us if you believe we have inadvertently collected such data.
14. Changes to This Notice
We may update this Privacy Notice to reflect changes in our practices or legal requirements. For material changes, we will provide prominent notice through email or platform notification at least 30 days before changes take effect. Minor changes may be posted directly to this page. Your continued use of our services after changes become effective constitutes acceptance of the updated notice.
15. Contact Us
For questions about this Privacy Notice or to exercise your rights, contact our Data Protection team at privacy@pacho.io or write to: Huisku Oy (Pacho), Data Protection, Lapinlahdenkatu 16, 00180 Helsinki, Finland. For unresolved concerns, you may contact the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.