SPED Privacy Statement
At SPED, we prioritize data protection. Privacy and information security are central to our values. This Privacy Policy Statement outlines the fundamental principles and practices we follow to ensure that your privacy is safeguarded while using our services.
SPED Tech Oy, local country-specific SPED companies, and Sped Tech Oy., belonging to the same group of companies (“SPED,” “we”), process personal data of users who utilize SPED’s food and retail ordering services through the SPED application (“SPED App”), as well as users of other SPED delivery products and services, and visitors of the website SPED.com (“Website”).
In this Privacy Statement, the term “SPED Services” collectively refers to the Website, the SPED App, and other services provided by SPED to users. The terms “User” or “you” collectively refer to our customers, users of SPED delivery services, representatives and other authorized users of our customer organizations, potential customers, and users of the SPED Services. Our Privacy Statement clarifies the types of personal data we process, how we process it, and how you can exercise your rights as a data subject (e.g., right to object, right of access).
Some of our services may be subject to separate privacy policies. If a particular service is subject to a separate privacy policy, we will make it available alongside that service.
This Privacy Statement may be periodically updated to reflect changes in data processing practices or for other reasons. The current version can be found on the Website. We will not make substantial changes to this Privacy Statement or diminish the rights of Users under this Privacy Statement without providing notice.
1. Data Controllers
This Privacy Statement applies to the processing of personal data conducted by SPED. SPED is part of SPED Tech Oy , a technology company headquartered at Joensuu Finland. We operate as a unified team and may jointly make decisions regarding the processing of personal data.
Regarding the processing of personal data of Users in the countries listed below, SPED Tech Oy and the local SPED group company act as joint data controllers. This means that SPED Tech Oy and the local SPED group company together determine the purposes and means of processing personal data. The countries where joint controllership applies are as follows:
SPED TECH OY, Mantylantie Joensuu Finland if the User is located in Finland,
SPED Tech Oy has been designated as the entity responsible for managing all data subject requests and inquiries related to the processing of personal data by the SPED group on behalf of the local joint controllers.
Additionally, SPED provides delivery services to other companies (e.g., SPED Drive API and eCommerce integrations). In such instances, SPED acts as the data processor for the aspects of processing activities related to receiving, managing, and completing deliveries, as well as communicating and confirming deliveries to the respective company.
2. SPED’S CONTACT DETAILS
SPED Tech Oy
Business ID: [Not provided]
Correspondence address: Mäntyläntie 3 C 40, Joensuu, Finland
Email address: support@sped.delivery
Data Protection Officer: SPED has appointed a Data Protection Officer who can be reached using the above contact details or by sending an email to privacy@sped.delivery.
3. Personal Data Processed and Sources of Data
At SPED, we process personal data only to the extent necessary and appropriate for specific processing purposes. Our processing activities involve two main categories of personal data: User Data and Usage Data.
User Data
User Data comprises personal data collected directly from you or from our customer organizations, on behalf of which you use the SPED Services. We collect User Data through various channels, including registration to the SPED Services, subscription to newsletters, or completion of forms. Additionally, details of transactions and payments made through the SPED Services are collected.
User Data Necessary for Using the SPED Services
- Full name
- Telephone number
- Email address
- Information related to payment instruments (not stored by SPED)
User Data Provided Voluntarily and While Using SPED Services
Enhancing your user experience may involve providing additional information voluntarily, such as:
- A profile picture
- Delivery address
- Location data (with consent)
- Participation in loyalty programs
- Age (for age-restricted goods)
- Other information provided during account creation or modification
Other Information
We may also process additional information provided by you voluntarily, including:
- Order-related information
- Ratings, comments, or survey responses
- Favorite restaurants or merchants
- Marketing preferences
- Information provided through phone, email, or chat correspondence
In addition to User Data collected directly, we may process certain personal data provided by third-party service providers, primarily obtained from public sources.
Usage Data
Usage Data arises from user interactions with the SPED Services. Although it may not typically identify individuals, it can, under certain circumstances, be linked to individuals, making it subject to applicable data protection laws.
We automatically collect the following Usage Data when you interact with the SPED Services:
- Device or browser information
- Internet service provider and network connection details
- Identifiers provided by devices or third parties
- Location information
- Referral and navigation details
- Interaction and usage patterns
- Data for tracking transactions initiated by advertising partners
Cookies and Other Technologies
We use various technologies, including cookies, to collect and store Usage Data and other information when users visit the SPED Services. Cookies allow us to identify visitors, facilitate service usage, and create aggregate visitor information to improve our services.
Users can manage cookie preferences through browser settings or the SPED App. Disabling cookies may affect certain functions of the SPED Services.
SPED uses pseudonymized identifiers and session-only 3rd-party tracking technologies to track and predict user preferences and verify transactions initiated by advertising partners.
Users can manage their communication and privacy settings via the SPED App, and visitor identifiers can be disabled on iOS and Android mobile devices.
SPED uses different third party analytics and telemetry providers, marketing or affiliate partners, and other services integrated into our client software listed below:
| Name | Vendor | Purpose | Vendor privacy statement |
| Google Analytics | Visitor and usage analytics | Link | |
| Google AdSense | Ad Targeting | Link | |
| Google Tag Manager | Analytics and reporting | Link | |
| Upwave | Upwave | Analytics, marketing and reporting on SPED app | Link |
| AppsFlyer | AppsFlyer | Analytics, marketing and reporting on SPED app. | Link |
| hCaptcha | Intuition Machines, Inc. | Bot detection and avoidance and reporting | Link |
| Bugsnag | SmartBear Software Inc. | Error event and performance tracking on websites and apps | Link |
| Facebook Graph API | Meta | Ads management | Link |
| Facebook Pixel | Meta | Advertising/ conversion tracking | Link |
| Firebase | Firebase | Mobile and web application development platform | Link |
| Intercom | Intercom | Chat with customer support | Link |
| Ravelin | Ravelin | Anti-fraud | Link |
| Riskified | Riskified | Payment fraud preventiont | Link |
| Adform | Adform | Managing and delivering online ads | Link |
| Floodlight | Floodlight | Advertising/conversion tracking | Link |
| Microsoft Clarity | Microsoft | User heatmaps analysis | Link |
| Interspace | Interspace (Accesstrade) | Affiliate marketing platform | Link |
| Microsoft Bing | Microsoft | Search engine | Link |
| Iterable | Iterable | Marketing automation | Link |
| LinkedIn InsightTag | LinkedIn Marketing Solutions | Advertising/conversion tracking | Link |
| Taboola Pixel | Taboola | Advertising/conversion tracking | Link |
| TradeDoubler | TradeDoubler | Advertising/conversion tracking | Link |
| Twitter Universal Website Tag | Twitter Ads | Advertising/conversion tracking | Link |
| Yahoo | Yahoo | Advertising/conversion tracking | Link |
| Reddit Pixel | Reddit Ads | Advertising/conversion tracking | Link |
| Sentry | Sentry.io | Functional software | Link |
Please note that not all of the above vendors are necessarily being used at any given time, or on all market areas.
4. The Purposes and Grounds for the Processing
At SPED, we process personal data only as necessary and appropriate for specific purposes. Multiple purposes and legal grounds may apply simultaneously.
Contractual Obligations
We process your personal data to fulfill our contractual obligations towards you or the Customer Organization, including:
- Offering SPED Services as per the contract between you and SPED or between Customer Organization and SPED.
- Managing and delivering your order, communicating changes, and handling payments or refunds.
- Providing necessary information to Partners (restaurants, retailers, courier partners) for order preparation or delivery.
- Addressing your inquiries or support cases.
Legitimate Interests
We may process your personal data based on legitimate interests to run, maintain, and develop our business or maintain customer relationships. This includes:
- Claims handling, debt collection, fraud prevention, and ensuring system security.
- Contacting you regarding SPED Services, informing you of changes, or requesting feedback.
- Marketing SPED Services or showing personalized advertisements.
- Improving service quality and analyzing usage trends.
- Processing data within the SPED group of companies.
Legal Obligations
We process personal data to fulfill legal obligations, such as bookkeeping obligations or providing information to relevant authorities.
Consent
In some cases, you may be asked to grant consent for personal data processing, such as within the SPED App. You have the right to withdraw consent at any time.
5. Transfer to Countries Outside Europe
While SPED primarily stores personal data within the European Economic Area (EEA), we have operations, service providers, and group companies in various locations globally. Consequently, your personal data may be transferred to or processed in jurisdictions outside the EEA or your domicile.
To ensure adequate protection for users’ personal data in these jurisdictions, we take several steps:
- Agreements with Service Providers: We establish agreements with our service providers, including Standard Contractual Clauses, to ensure appropriate protection for personal data transferred to countries outside the EEA.
- Other Safeguards: In addition to contractual clauses, we implement other appropriate safeguards to protect users’ personal data when transferred to countries outside the EEA.
For further information on the transfer of personal data or inquiries regarding this process, please contact us using the provided contact addresses.
6. Data Recipients
At SPED, we share your personal data only within our organization to the extent necessary for the purposes outlined in this Privacy Statement.
For users in Japan: Your personal data mentioned in section 3 is processed within the organization of SPED (SPED Tech Oy and its subsidiaries and affiliates) for the purposes specified in section 4. SPED Tech Oy, based in Joensuu, Finland, is responsible for managing jointly used Personal Information. Users in Japan have the right to request disclosure of the purposes for which SPED processes their personal data and records regarding the provision of personal data to third parties, as per the Japanese Personal Data Protection Law.
We do not share your personal data with third parties outside SPED’s organization unless one of the following circumstances applies:
- For the Purposes of this Privacy Statement and to Authorized Service Providers: We may share your personal data with third parties, such as restaurants, merchants, retailers, courier partners, and Customer Organizations, to facilitate the provision of SPED Services or for other legitimate reasons. This may include sharing your phone number with the Partner you ordered from, providing data to group companies or authorized service providers for processing services like data storage, accounting, analytics, sales, marketing, and payment fraud prevention. We ensure that third parties process your data exclusively for the purposes specified in this Privacy Statement and in compliance with applicable laws and regulations.
- With Partners for the Performance of SPED Services: Third parties involved in fulfilling SPED Services, such as Partners preparing, selling, or delivering your order, may need access to your personal data. We provide Partners with necessary data, such as your name, delivery address, order details, comments, and feedback, to enable them to fulfill your order effectively and comply with legal obligations. Partners may also process such data for their own purposes, making them independent controllers responsible for the lawfulness of their processing operations.
- For Legal Reasons and Processes: We may share your personal data with third parties outside SPED if necessary to meet applicable laws, regulations, court orders, or to address fraud, crime, security, or technical issues. We inform users about such processing whenever possible.
- For Other Legitimate Reasons: In cases of mergers, acquisitions, or asset sales involving SPED, we may transfer personal data to the involved third parties. We ensure the confidentiality of personal data and provide notice to affected users when data are transferred or become subject to a different privacy statement.
- With Your Explicit Consent: We share your personal data with third parties outside SPED only with your explicit consent. You have the right to withdraw this consent at any time, free of charge.
7. Storage Period
At SPED, we adhere to legal requirements and ensure that personal data is not stored longer than necessary for providing SPED Services or relevant purposes thereof. The storage duration depends on the type of information and processing purposes, thus the maximum period may vary accordingly.
Once a User deletes their user account, personal data may be retained only as long as required by law or reasonably necessary for our legal obligations or legitimate interests, such as claims handling, bookkeeping, internal reporting, and reconciliation purposes.
We conduct regular assessments of the storage period for personal data to ensure that data is retained only for the necessary duration.
8. Your Rights
Right of Access
You have the right to access and be informed about your personal data processed by us. You can view certain data through your user account with the SPED Services or request a copy of your personal data by contacting us.
Right to Withdraw Consent
If the processing is based on your consent, you may withdraw it at any time free of charge. However, withdrawing consent may limit your use of the SPED Services. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
Right to Rectify
You have the right to have incorrect or incomplete personal data corrected or completed by contacting us. Some personal data can be corrected or updated through your user account in the SPED Services.
Right to Erasure
You can ask us to delete your personal data from our systems, unless we have a legitimate ground to retain the data.
Right to Object
You may object to certain uses of your personal data if it’s processed for purposes other than necessary for SPED Services or legal compliance. This may limit your use of the SPED Services.
Right to Restriction of Processing
You may request us to restrict processing of personal data, for example, when your data erasure, rectification, or objection requests are pending.
Right to Data Portability
You have the right to receive the personal data you provided to us in a structured, commonly used format and to transmit it to a third party.
How to Use Your Rights
You can exercise these rights by contacting SPED support or sending a letter or email to us. Include your full name, address, email address, and phone number. If you have a SPED account, contacting us through SPED support is recommended. We may request additional information to confirm your identity and may reject or charge requests that are unreasonably repetitive, excessive, or unfounded.
9. Direct Marketing
You have the right to prohibit us from using your personal data for direct marketing purposes, market research, and profiling for direct marketing. You can do this by contacting us or using the functionalities of the SPED Services or the unsubscribe option in direct marketing messages.
10. Lodging a Complaint
If you believe that our processing of personal data is inconsistent with applicable data protection laws, you have the right to lodge a complaint with the local supervisory authority for data protection in Finland, the Data Protection Ombudsman (tietosuoja.fi). Alternatively, you may lodge a complaint with another local and competent supervisory authority for data protection.
11. Information Security
We employ administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. These measures include, where appropriate, encryption, pseudonymization, firewalls, secure facilities, and access control systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience, and the ability to restore data. Regular testing of the SPED Services, systems, and other assets for security vulnerabilities is conducted. Additionally, access to personal data by SPED employees is restricted, and access is granted only as necessary for the employee’s work assignments.