Privacy

Privacy Policy

Last updated: 21 May 2026

This policy explains how Sirway Oy ("Sirway", "we", "us") processes personal data when you use the Data Collection App ("DCA") mobile application and the associated backend service at https://si.solidstreet.eu.

The policy is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act (Tietosuojalaki 1050/2018).

1. Data controller

Sirway Oy
Kantakyläntie 15 A
00640, Helsinki, Finland
Business ID: 1766202-7

Privacy contact: support@sirway.fi

If you have questions about this policy or want to exercise your rights, contact us at the address above.

2. Who DCA is for

DCA is a professional tool for authorised field inspectors working on behalf of road, bridge, and other infrastructure asset owners. Access is granted by your employer or contracting organisation via a Sirway-issued user account. The app is not directed at the general public or at children.

3. What we collect

a) Account information

  • Email address, name, organisation, and role assigned to your DCA account.
  • Authentication tokens (JWT) issued when you log in. These identify your device's session and are stored on the device.

Source: provided by you or by your organisation's administrator when the account is created.

b) Inspection data you record

  • Form responses (text, numeric values, ratings, choices) entered during asset inspections.
  • Asset identifiers and references to assets in the Sirway database.
  • Notes and comments you write.

This data is linked to your user account so the organisation can attribute inspections to the inspector.

c) Precise location (GPS) — foreground only

  • When you tap a "Capture GPS" action in a form, or when the app records the geo-position of a photo, DCA reads your device's precise location through Android's location service (or iOS Location Services).
  • Location is read only while the app is open and in the foreground. DCA does not run background location tracking.
  • Latitude, longitude, altitude, and accuracy are stored with the inspection record.

Purpose: to geo-tag inspected assets, photos, and field observations so they can be linked to a map.

d) Photos and other media

  • When you tap a "Take photo" or "Add from library" action, DCA accesses your device's camera and/or photo library.
  • Photos you select or capture are uploaded to Sirway's object storage and linked to the relevant inspection record.
  • DCA does not scan your photo library; it only sees the photos you explicitly pick.

e) Device and technical data

  • Device model, operating-system version, and app version (used for support and crash diagnostics).
  • Network state (online/offline) — used to decide when to sync data; not transmitted to us.
  • Diagnostic logs may be transmitted with your inspection data if you submit a support request.

We do not use third-party analytics or advertising SDKs inside DCA. We do not track your activity across other apps or services.

4. Why we process this data (purposes and legal bases)

PurposeLegal basis (GDPR Art. 6)
Authenticating you and authorising access to your assigned formsArt. 6(1)(b) — performance of contract between Sirway and your organisation; necessary for the service
Storing inspection records, photos, and GPS positions so they can be reviewed, validated, and used by your organisationArt. 6(1)(b) and Art. 6(1)(f) — legitimate interests of the asset owner in maintaining infrastructure records
Synchronising data between your device and the backendArt. 6(1)(b) — necessary for the service
Diagnosing crashes and providing supportArt. 6(1)(f) — legitimate interest in operating a reliable service
Complying with legal obligations (e.g. accounting, lawful requests by authorities)Art. 6(1)(c)

We do not make automated decisions or carry out profiling that produce legal or similarly significant effects on you.

5. Who we share data with

  • Your organisation — the customer Sirway provides DCA to. Authorised supervisors and administrators in your organisation can see the inspection data, photos, and GPS positions you submit.
  • Hosting and infrastructure providers (sub-processors) acting on our written instructions:
    • DigitalOcean, LLC — backend hosting and S3-compatible object storage (Spaces) for photo files. Region: SYD1.
    • None
  • Authorities — if required by law (e.g. court order, lawful request).

We do not sell your data and we do not share it with advertisers.

6. International data transfers

DCA's backend and object storage are hosted within the European Economic Area (EEA) at Sydney, Australia. Personal data is processed inside the EEA.

If we ever need to transfer personal data outside the EEA, we will rely on a valid GDPR transfer mechanism (such as Standard Contractual Clauses) and inform you in this policy.

7. How long we keep data

  • Inspection records and photos are retained for as long as the asset owner needs them for infrastructure management. Retention periods are set by the contract between Sirway and the asset owner, and are typically multiple years.
  • Account information is kept while your account is active and for a reasonable period after deactivation for audit purposes.
  • Authentication tokens on the device expire automatically and can be cleared by logging out or uninstalling the app.
  • Diagnostic logs are kept for up to 90 days unless attached to an open support ticket.

When retention ends, data is deleted or anonymised.

8. Security

  • Transport encryption (HTTPS / TLS) between the app and our backend, and between the app and object storage.
  • Authentication via short-lived signed tokens (JWT).
  • Object storage uses time-limited presigned URLs so photo uploads cannot be intercepted or replayed.
  • Server-side access controls so only authorised users in your organisation can see your inspection data.
  • Regular updates to dependencies and operating systems.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in risk to your rights, we will notify the supervisory authority and affected users in line with GDPR Art. 33–34.

9. Your rights under GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you (Art. 15).
  • Rectification — ask us to correct inaccurate or incomplete data (Art. 16).
  • Erasure — ask us to delete your data, subject to legal and contractual retention obligations (Art. 17).
  • Restriction — ask us to pause processing in certain situations (Art. 18).
  • Data portability — receive your data in a structured, machine-readable format (Art. 20).
  • Object — object to processing based on our legitimate interests (Art. 21).
  • Withdraw consent — where processing relies on your consent (Art. 7(3)).

To exercise these rights, contact us at the privacy email above. We respond within one month (extendable by two further months for complex requests).

You also have the right to lodge a complaint with the supervisory authority:

Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)
Lintulahdenkuja 4, 00530 Helsinki, Finland
tietosuoja.fi

10. Permissions DCA requests on your device

PermissionWhy DCA needs itOptional?
Location (precise, while-in-use)Geo-tag inspected assets and photosRequired for GPS-capture fields
CameraTake photos of assetsRequired to attach new photos
Photos / Media libraryPick existing photos to attachRequired to attach existing photos
InternetSync data with the backendRequired for sync; the app also works offline

You can revoke any permission at any time in your device's settings. Some inspection features will be unavailable without the corresponding permission.

11. Cookies and analytics on sirway.fi

This website (sirway.fi) uses Google Analytics and Google Ads conversion tracking to measure traffic and the effectiveness of advertising. These services may set cookies on your browser and process information about your visit. They do not operate inside the DCA mobile app.

12. Children

DCA is intended for professional use by adults authorised by an asset-owning organisation. We do not knowingly collect personal data from anyone under 16. If you believe a child has used DCA, contact us and we will delete the relevant data.

13. Changes to this policy

We may update this policy from time to time (for example, when we add a new sub-processor or a new feature that processes personal data). The "Last updated" date at the top reflects the most recent change. Material changes will be communicated through the app or by email to your account.

14. Contact

For privacy questions, data-subject requests, or any other concern about how DCA handles personal data:

Sirway Oy
support@sirway.fi
Kantakyläntie 15 A, 00640, Helsinki, Finland