1. Background
When using Severa, personal data about you is processed in the product. This Privacy Statement
helps you understand what personal data is collected about you, why personal data is collected,
and how Visma Solutions Oy (“Visma”) handles, protects, stores, exports, and deletes your
personal data.
Personal data is any information relating to an identified or identifiable natural person,
such as an email address, street address, and phone number.
2. How can you contact Visma?
If you have any comments or questions about this Privacy Statement, or any privacy concerns,
including regarding a possible breach of your privacy, please contact us at:
Visma Solutions Oy
Villimiehenkatu 10, 53100
Lappeenranta [email protected]
Data Protection Officer:
Riku Tarkiainen
Data Protection Officer, Head of Security and Data Protection
[email protected]
Alternatively, you can use this form.
3. Visma as Processor
The customer of Severa is the Controller for the personal data processed in Severa. In these
cases, Visma acts as a Processor and processes the personal data on behalf of and according to
instructions given by the customer. For more information regarding this, please contact customer
support for the product. If you want to invoke your rights in relation to the processing of your
personal data in Severa, you should direct this to the organisation acting as Controller.
4. Visma as Controller
In some cases, Visma will be the Controller for personal data processed in the application.
This is when Visma determines the purposes and means of the processing of personal data. When
Visma is the Controller for personal data processed in the application, this section 4 applies.
When Visma acts as Controller in relation to your personal data, the information described below
applies.
You can find Visma Solutions’ general privacy statement here.
4.1. Processing activities
Visma processes your personal data in Severa as follows:
Customer support
In order to provide our customers with help and support in using our service, we process personal
data in our customer support. The personal data processed in customer support primarily concerns
our customers’ contact persons and users of our services. For these individuals, we process
contact details (name, email address, phone number), data related to the use of the service
(username, IP address, device information), as well as feedback from users of our services and
personal data included in customer support requests.
To the extent that personal data is processed in customer support for which Visma is the
Controller, our legal basis for this processing is our legitimate interests, cf. GDPR Article 6
(1) (f). Our legitimate interest is to provide our customers with support and service related to
our product.
In individual cases, we also process personal data in customer support for which our customer is
the Controller, in which case Visma acts as a Processor. Examples of such cases include
troubleshooting situations related to our service, where a customer presents a description of a
problem that also includes actual data entered into the service. In these cases, the legal basis
for the processing is the service agreement in force with our customer, which separately sets out
the principles for data processing.
Security
Visma processes personal data in order to detect, mitigate, and prevent security threats and
abuse, as well as perform necessary maintenance and debugging. The personal data involved includes
name, email address, user and web traffic data such as login ID, username, IP address, and device
information.
Our legal basis for this processing of personal data is our legitimate interests, cf. GDPR Article
6 (1) (f). Our legitimate interest is to maintain a secure environment for our customers and
operations.
We will only store your personal data for as long as necessary to fulfil the purpose of
processing, and your personal data will normally be deleted after 1 year.
Service improvement
Visma continuously strives to improve and develop the quality, functionality, and user experience
of our products and services. The personal data we process includes your name, email address, user
and web traffic information such as login ID, username, and IP address. Additionally, we process
statistics that indicate how you use our software.
Our legal basis for processing your personal data is our legitimate interests, cf. GDPR Article 6
(1) (f). Our legitimate interest is to ensure that we meet our customers’ expectations and fulfil
all contractual commitments.
We will process your personal data only as long as necessary to fulfil the purpose of processing.
After three years, the personal data is deleted or anonymised for statistical use.
Marketing newsletters
Visma uses email as a tool to distribute marketing communication, however only if you have
consented in accordance with national marketing legislation (to the extent this is required). The
personal data processed for this purpose is name and email address.
Our legal basis for this processing of personal data is our legitimate interests to provide
interested individuals with marketing communications, cf. GDPR Article 6 (1) (f).
The personal data will be deleted when you decide to opt out of receiving marketing communications
from Visma. This can be done in the following ways:
- Following the instructions for opt-out in the relevant marketing communication
- Changing preferences under the relevant account settings if you have an account with Visma
- Using the applicable subscription management tool (link found at the bottom of each
marketing communication) - Contacting us via this form
Please note that when opting out from receiving marketing communications, you may still receive
other communications from Visma, such as order confirmations and notifications necessary to manage
your account or the services provided to your organisation.
Profiling
When you interact with Visma while using our services, Visma processes your personal data to
provide you with relevant content through direct marketing on social media platforms, by email, on
websites, or in the service, based on your preferences.
The purpose of profiling is to provide you with tailored marketing, improve your user experience
in our services/websites, and deliver products that our customers are satisfied with. The personal
data processed consists of aggregated data such as IP address, interests (what you have clicked on,
etc.), username, and device. This is carried out using technologies such as cookies.
Our legal basis for this processing of personal data is our legitimate interests to provide you
with relevant content, cf. GDPR Article 6 (1) (f). Visma’s services are primarily used as tools
for work-related tasks, and the use of these tools reveals little about your personal life. No
sensitive personal data is processed. Your personal data is processed from a business perspective
and we do not believe that the processing conflicts with your freedoms and rights as an individual.
The personal data will be deleted when you decide to opt out of being subject to profiling by
contacting us by email at [email protected]
or by using this form. Personal
data collected via cookies is also subject to various retention policies.
4.2. How your personal data may be shared
Visma is a part of the Visma Group, which consists of several subsidiaries. In order to maintain
an overview and transparency, we may share your personal data across companies in the Visma Group.
Visma may also share your personal data with external third parties in the following contexts:
Processors
Visma uses processors to process personal data. These processors are typically vendors of
cloud-based services or other IT services. When using processors, Visma will enter into a data
processing agreement in order to safeguard your privacy rights. If processors are located outside
the EU/EEA, we ensure legal grounds for such international transfers on your behalf, including by
using the EU Model Clauses. You are welcome to request more detailed information on our processors
by contacting us as described in section 2 “Contact us”.
Business partners
Visma may share your personal data with partners in the event this is legitimate from a business
perspective and in accordance with applicable privacy legislation.
Public authorities
The police and other authorities may request access to data from us. This may include both
personal data and other information.
In all such cases, we follow strict internal policies and procedures when evaluating data requests
and consult our legal advisors. We only share data when strictly required by law, and only on the
basis of valid court orders or equivalent legal documents.
To prevent unauthorised access to the data in our possession, we also implement technical measures
such as encryption and access control. Visma’s security programme ensures a high level of security
and confidentiality.
Furthermore, we ensure through our agreements with subcontractors that they also comply with
organisational and security measures equivalent to our own.
If we receive data requests from authorities outside the EEA, we ensure compliance with Article
32 of the Data Act. Our internal policies and routines are aligned with this regulation.
4.3. Your rights
You can invoke the following rights to the extent that Visma processes your personal data as
Controller:
- Right of access. You have the right to request a copy of the personal data
we process about you. - Right to rectification. You also have the right to request rectification of
inaccurate personal data concerning you. If you have an account for our sites or services, this
can usually be done through the appropriate “your account” or “your profile” sections. - Right to erasure. You have the right to request that Visma delete personal
data relating to you. - Right to restriction of processing. You have the right to request that Visma
restrict the processing of your personal data. - Right to data portability. You have the right to ask us to provide you or
others with your personal data in a structured, commonly used, and machine-readable format. - Right to object. You have the right to object to Visma’s processing of your
personal data where personal data is processed for the performance of a task carried out in the
public interest, in the exercise of official authority vested in Visma, in pursuit of Visma’s
legitimate interests, or for direct marketing purposes.
Please note that there may be certain exceptions or limitations to the abovementioned rights which
could apply depending on the specific circumstances of your situation. In such cases, we will
provide you with detailed information about the applicable exception or limitation and help you
exercise your rights to the fullest extent possible, in accordance with applicable laws and
regulations.
Please send requests as mentioned in this section to
[email protected] or use this
form.
You also have the right to file a complaint with the supervisory authority regarding Visma’s
processing of your personal data.
5. Cookies
Cookies are small text files stored on your device when you visit a website. Cookies help the
website remember information about your visit, which improves the website’s functionality and
allows it to show you more personalised and relevant content.
Only strictly necessary cookies are used in the Severa service.
When you visit our product website (severa.visma.com), we install certain cookies on your device
that are strictly necessary for the website’s functionality. If you give your consent, we may also
use cookies or other tracking tools to collect information about your device and your interaction
with our website.
We currently use such non-essential cookies for the following purposes:
- Improving the functionality of our website
- Analysing the use of our website
- Marketing
More detailed information about the cookies used on the Severa service website can be found at
severa.visma.com.
6. Changes
We encourage you to review the Privacy Statement regularly. If we make significant changes to the
Privacy Statement that materially alter our privacy practices, we will notify you of these changes
on our website and in our Community.
This Privacy Statement was last updated on 22 May 2026.