Privacy Policy

Effective Date: 1.6.2026

This Privacy Policy explains how Groundhawk Oy (“Groundhawk” or “we”) collects, uses, or otherwise processes the Personal Data of individuals (“you”) in connection with our hardware devices, mobile and web applications, online portal, websites, and related services (collectively, the “Services”). This Privacy Policy also describes the Personal Data we process and what rights you have in relation to our processing of your Personal Data.

This Privacy Policy applies to all individuals whose Personal Data we process, including:

  • end users of our hardware devices and software (such as field technicians and surveyors employed by our customers);
  • administrators and portal users at our customer organizations, and network owners with whom mapping data is shared;
  • visitors to our websites and recipients of our marketing communications;
  • business prospects and contacts of potential or existing customers; and
  • job applicants and other individuals interacting with us.

We may update this Privacy Policy from time to time by posting a new version on our website. If we make any material changes, we will notify you by posting a notice in the Services or by sending a notice to the email address we have on file for you before the change becomes effective. Your continued use of the Services after the effective date will be subject to the new Privacy Policy.

Capitalized terms used but not defined in this Privacy Policy have the meanings given to them in our Terms of Service or other applicable agreement with us.

Personal Data, Data Controller and How to Contact Us

Personal Data” refers to any data that relates to you as an identifiable individual. It may include, for example, your name, email address, telephone number, job title, employer, the device or account you use to access the Services, and information about how you use our Services. Anonymous information that we are not in a position to relate to you does not qualify as Personal Data.

Data Controller” means an entity that determines how and why Personal Data is processed. For the purposes of this Privacy Policy, the data controller of your Personal Data is Groundhawk Oy, a Finnish company (Business ID 2938098-3), address: Miestentie 7, 02150 Espoo, Finland.

Where we process Personal Data on behalf of a customer organization (meaning the contractor, infrastructure owner, or network operator that has entered into an agreement with us for the use of the Services), that customer organization is the data controller and we act as a data processor under a separate data processing agreement. This applies, for example, to mapping data captured in the field and stored in our portal, which we generally process on behalf of the customer organization. In such cases, you should direct your privacy requests to that customer organization first, and we will assist them as required by applicable law.

If you have questions about your Personal Data or data protection, you can reach us by email at info@groundhawk.io.

Why Do We Process Your Data

Providing data to us is not always mandatory. However, we are unable to provide the Services, or some parts or features of the Services, without processing your data. If you use our Services, we will collect your data for some or all of the purposes described below, depending on which Services you use and your choices when using them.

To Perform a Contract

To provide you with the Services, we process Personal Data necessary to:

  • create user accounts and enable you to access, use, and manage our devices, applications, and online portal;
  • operate the Services, enable you to capture, upload, and manage mapping data and photographs, and deliver the resulting documentation to your employer or the customer organization that has subscribed to the Services;
  • process orders, deliveries, and payments and verify purchases;
  • send you service-related communications (such as service notices, updates, and security alerts) and provide customer support, training, and responses to your inquiries.

Legitimate Interests

To maintain and improve the Services to our users, we have a legitimate interest in collecting and processing your Personal Data to:

  • develop, test, and improve the Services, including our hardware, software, and AI models used for mapping analytics;
  • monitor product usage and performance, troubleshoot technical issues, and prevent errors;
  • handle support requests and manage our relationship with you and our customers;
  • customize your user experience (such as language and regional settings); and
  • provide you with information about our Services, offers, and events.

To grow our business and engage with prospects, we have a legitimate interest in collecting and processing Personal Data of business contacts to:

  • identify potential customers in our target market (construction contractors, network owners, utilities, and infrastructure operators);
  • enrich and verify professional contact information from publicly available business sources;
  • conduct outbound business-to-business outreach, including email campaigns, and measure engagement with those communications; and
  • identify which organizations visit our website and follow up with relevant business information.

To keep our Services safe and to protect them from misuse, we have a legitimate interest in collecting and processing your Personal Data to:

  • monitor and analyze use of the Services and our infrastructure;
  • detect, investigate, and take action against fraudulent, abusive, or unauthorized use;
  • ensure the security and integrity of our platform and devices; and
  • prevent unauthorized access to the Services and to our customers’ data.

With Your Consent

With your consent, we may process your Personal Data to:

  • place non-essential cookies and similar technologies on our website (see the Cookies section below);
  • send you marketing communications if you have subscribed to them; and
  • for other purposes explained to you when we ask for your consent.

You can withdraw your consent at any time by using the unsubscribe link in our communications, by changing your cookie preferences on our website, or by contacting us at the address provided above. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

Legal Obligations

We may process your Personal Data as necessary to:

  • comply with legal obligations that apply to us, such as bookkeeping, tax, and corporate law requirements;
  • respond to lawful requests from public authorities; and
  • protect your vital interests or the vital interests of another person.

Recruitment

If you apply for a position with us, we process Personal Data necessary to evaluate your application, communicate with you, and take steps at your request before entering into an employment contract. This may include your name, contact details, CV, work history, education, references, and any other information you choose to provide as part of your application.

We do not use your data to make automated decisions that produce legal effects concerning you or similarly significantly affect you.

Data We Collect

In relation to your use of our Services, we gather information either directly from you (when you provide information to us) or indirectly (for example, through our devices and software, our website’s technology, or our partners and contractors).

Account and Identity Data

When you or your organization sets up an account with us, we collect your name, work email address, phone number, job title, and employer; your login credentials and authentication information; and your role and permission information within the customer organization.

Field and Mapping Data

When you use our hardware devices and applications in the field, we collect data generated during the mapping and documentation activity, including:

  • precise geolocation data (GNSS/RTK satellite positioning, including coordinates x, y, z and relative depth) of the device and of the mapped infrastructure;
  • photographs and images (including geotagged photographs) captured with the device or uploaded through the application;
  • 3D point clouds and other sensor data generated by the device’s cameras and sensors;
  • information you enter about cables, protections, points of interest (such as cabinets, poles, wells), worksites, and projects;
  • device telemetry, including device identifiers, software version, battery status, connectivity information, and diagnostic logs; and
  • timestamps and the user account associated with each measurement or photograph.

Field and mapping data is primarily about infrastructure and worksites and is not intended to identify individuals. However, because each measurement is linked to the user account that captured it, and because photographs taken on a worksite may incidentally contain images of individuals (such as colleagues or passers-by), parts of this data may constitute Personal Data. Customer organizations are responsible for ensuring that their employees and other field workers are informed of this processing in accordance with applicable employment and privacy laws.

Portal and Application Usage Data

We collect information about how you interact with our portal, mobile applications, and other software, including the pages and features you access, the actions you take, the time and duration of your sessions, the settings and preferences you select, and the data you enter into forms and project records.

Customer Support and Communications Data

When you contact us for support or otherwise communicate with us, we collect the content of your messages (including emails, chats, and support tickets) and information you provide during training sessions, webinars, and demonstrations. Where we record, transcribe, or summarize meetings or calls, we do so only after informing you and, where required, obtaining your consent.

Marketing and Prospect Data

In connection with our marketing and sales activities, we may collect:

  • publicly available business information about you and your employer (such as name, job title, employer, business email address, business phone number, and professional profile information) from public sources, business directories, and third-party data providers;
  • information about your interactions with our marketing communications, including whether you have opened an email or clicked a link;
  • information you submit through forms on our website (such as demo requests, brochure downloads, and contact forms); and
  • information about your participation in our webinars, events, and other marketing activities.

Website and Device Data Collected Indirectly

When you visit our website or otherwise interact with our digital channels, we may collect:

  • browser and device information (both software and hardware), including operating system, browser type and version, screen resolution, and device identifiers;
  • IP address and approximate geographic location derived from it;
  • the organization associated with the IP address you use to visit our website (we use a third-party service to identify companies, but not individual visitors, that visit our website);
  • referral information, including the source from which you arrived at our website;
  • session recordings, heatmaps, and other behavioral analytics about how you use our website (where you have provided consent); and
  • aggregated and statistical information about visitors and usage.

Statistical or aggregated information does not directly identify a specific person, but where it is derived from Personal Data or combined with Personal Data, we will treat the combined information as Personal Data.

Recruitment Data

If you apply for a position with us, we collect the Personal Data you submit as part of your application, including your CV, cover letter, work history, education, references, and any other information you choose to share. We may also receive information from your references or, where you have been informed, from third parties such as recruiters.

AI and Data Processing

Use of AI in the Services

Our Services use artificial intelligence (AI), machine learning, and computer vision to analyze sensor data and imagery and to derive accurate location and depth information for underground cables and other infrastructure. AI processing runs automatically in the background as part of the mapping workflow.

We may also use third-party foundational AI models (for example, Anthropic Claude) to power certain internal automations and assistive features. These models may process limited amounts of business and operational data on our behalf.

Use of Customer Data for Model Improvement

We may use de-identified, aggregated, or otherwise non-identifying data derived from your use of the Services to develop and improve our AI models, mapping algorithms, and the Services in general. We do not share identifiable customer mapping data or photographs with third-party AI providers for the purpose of training their foundational models.

No Automated Decisions with Legal Effects

We do not use your data to make automated decisions that produce legal effects concerning you or that similarly significantly affect you.

Who Can See Your Data

Except as described below, we do not share, sell, or otherwise disclose your Personal Data to third parties. To achieve the purposes described in this Privacy Policy, we may share your data with the following types of recipients.

Within Your Organization and With Network Owners

If you use the Services as part of your employment or engagement with one of our customer organizations, other authorized users within that organization may see your name, email address, role, and the field and mapping data you have created. Mapping data and as-built documentation may also be shared with the network owner, infrastructure owner, or other party that has commissioned the work, in accordance with the agreement between those parties.

Service Providers

We use trusted partners and service providers to help us deliver the Services and operate our business. These providers process your data only on our instructions and in accordance with applicable data protection laws. We require them to apply appropriate technical and organizational measures to protect your data. The categories of service providers we use include:

  • Cloud hosting, infrastructure, and AI services (including the Anthropic Claude API and automation tools such as n8n) — to host the Services, store data securely, power AI features, and automate internal workflows;
  • Productivity, collaboration, and meeting tools (such as Microsoft 365, Microsoft Teams, Google Workspace, and Fireflies.ai) — for email, calendaring, document creation and storage, internal collaboration, and the recording, transcription, and summarization of meetings where participants have been informed and, where required, have consented;
  • Customer relationship management, engagement, and notifications (such as HubSpot, hosted in the EU, and OneSignal, hosted on EU servers) — to manage customer relationships, sales pipeline, marketing campaigns, support activities, and to send push notifications, emails, and other communications;
  • Webinar and event hosting (such as Livestorm) — to host webinars and online events;
  • Marketing, outreach, and lead enrichment (such as Lemlist, Instantly, Lusha Pro, Clay, and LinkedIn) — to send marketing and outbound business communications, manage sender reputation and deliverability, and find and enrich professional contact information for business prospects from publicly available business sources;
  • Website analytics, product analytics, and visitor identification (such as Google Analytics, PostHog hosted on EU servers, Microsoft Clarity, and Snitcher) — to understand how visitors use our website and how users interact with our Services, including session recordings and heatmaps where you have provided consent, and to identify the organizations associated with IP addresses visiting our website (this service does not identify individual visitors by name); and
  • Payment processing and billing service providers — to process orders, invoices, and payments.

We periodically review the service providers we use. The list above describes the categories of recipients at the time this Privacy Policy was last updated. You can contact us at the address provided above to obtain more detailed information about the specific service providers we currently use.

Other Companies and Public Authorities

To combat fraud and illegal activity, we may exchange data with other companies and organizations and provide it to public authorities in response to lawful requests. We may also disclose your Personal Data:

  • based on your explicit consent;
  • to comply with the law or with binding legal process;
  • to protect the rights, property, or safety of us, our users, our customers, or others; or
  • in connection with a corporate transaction, such as a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this Privacy Policy.

International Data Transfers

In connection with the processing activities described in this Privacy Policy, your data may be transferred to and/or processed in countries outside the European Union (“EU”) and the European Economic Area (“EEA”). Because different countries may have different data protection laws, we take steps to ensure adequate safeguards are in place to protect your data.

Adequate safeguards that our partners and we may rely on include European Commission adequacy decisions, the EU-U.S. Data Privacy Framework, and standard contractual clauses approved by the European Commission, together with any necessary supplementary measures. You can contact us for more information about the safeguards in place for specific transfers.

How Do We Protect Your Data

To help ensure a secure user experience, we continuously develop and implement administrative, technical, and physical security measures to protect your data from unauthorized access, loss, misuse, or alteration. These measures may include, for example:

  • encryption of data in transit and at rest, access controls, authentication mechanisms, the principle of least privilege, and logging and monitoring of access to our systems;
  • regular security assessments, vulnerability testing, audits, and incident response procedures; and
  • employee training on data protection and information security.

How Long Do We Keep Your Data

We retain your data only for as long as necessary to provide the Services, to fulfill the purposes described in this Privacy Policy, and to comply with applicable legal obligations. As general principles:

  • account data, field and mapping data are retained for the duration of the customer agreement and for a reasonable period thereafter;
  • communications and support records are retained for the duration of the customer relationship;
  • marketing and prospect data is retained until you object, withdraw your consent, or it is no longer relevant;
  • recruitment data of unsuccessful candidates is retained only for as long as necessary; and
  • data required by accounting, tax, or other legal obligations is retained for the period required by those laws.

After the applicable retention period, we will delete or de-identify your data. We may periodically delete or de-identify inactive accounts and associated data.

If you ask us to delete your Personal Data, we may retain some of your data to the extent necessary for our legitimate business interests, such as to comply with our legal obligations, resolve disputes, and enforce our agreements.

Cookies and Similar Technologies

Like most online services, we and our partners use cookies and similar technologies on our website to provide, personalize, and improve the Services, to analyze how the Services are used, and to support our marketing activities. Cookies and similar technologies allow us and our partners to store preferences and track activities within the Services.

We classify the cookies we use into the following categories:

  • Strictly necessary cookies — required for the website to function; these cannot be disabled;
  • Analytics cookies — help us understand how visitors use our website (for example, Google Analytics, PostHog, and Microsoft Clarity);
  • Marketing and advertising cookies — used by our partners and us to deliver and measure marketing activities (for example, HubSpot and LinkedIn);
  • Functional cookies — enable enhanced functionality and personalization.

Non-essential cookies are placed only with your consent, which you give through the cookie banner on our website. You can change your cookie preferences at any time via the cookie settings on our website or in your browser settings. Please note that disabling certain cookies may affect the website's functionality. Our partners may operate under their own privacy policies; you can find more information in those policies.

Your Rights and Options

Subject to applicable law, you have the right to:

  • access the Personal Data we hold about you;
  • request the correction or deletion of your Personal Data;
  • request that we restrict the processing of your Personal Data;
  • object to the processing of your Personal Data to the extent our processing is based on our legitimate interests or the legitimate interests of a third party, including the right to object to direct marketing at any time;
  • where technically feasible, request a copy of the Personal Data you have provided to us in a structured, commonly used, and machine-readable format (data portability);
  • withdraw your consent at any time where we rely on consent as the legal basis for processing;
  • not be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects you; and
  • lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman (tietosuojavaltuutettu).

If you wish to exercise any of these rights, please contact us by email at: [•]. To unsubscribe from our marketing communications, please use the unsubscribe link provided in those messages. Where we process your Personal Data on behalf of a customer (as a data processor), please direct your requests to that customer in the first instance, and we will assist them in responding to your request as required by applicable law.

Children

Our Services are designed for business use and are not directed to children under 16 (or such other age as required by applicable local law). We do not knowingly collect any Personal Data from children. If we discover that we are processing the Personal Data of a child, we will take appropriate measures to promptly delete the data from our records. If you have reason to believe we hold Personal Data relating to a child, please contact us.

Contact

If you have any questions about this Privacy Policy or our data practices, please contact us at: info@groundhawk.io.