Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.varmo.fi/llms.txt

Use this file to discover all available pages before exploring further.

Varmo is designed to operate without personal data. The API requires only a dispatch UUID you generate, a dispatch date, a destination postal code, and a destination country code. In isolation, none of these fields identify a natural person, which means Varmo’s data model minimises GDPR exposure for you as the card issuer. Where Varmo does act as a data processor on your behalf, it operates within a defined legal basis and supports your obligations to data subjects.

What data Varmo processes

The following table lists every field Varmo receives when you call the Status API.
FieldTypeIs it PII?Purpose
id (dispatch UUID)IdentifierNo (pseudonymous)Tracks a single card dispatch through the delivery lifecycle
dispatch_dateTimestampNoAnchors the delivery window prediction model
destination.postal_codeGeographicNoRegional input for carrier performance modelling
destination.country_codeGeographic (ISO 3166-1 alpha-2)NoRoutes the dispatch to the correct regional prediction model
Varmo never receives the cardholder’s name, email address, phone number, physical address, date of birth, or any other directly identifying data. If your integration sends these fields, remove them — they are not used and should not be transmitted.
Varmo processes dispatch data under legitimate interests (Article 6(1)(f) GDPR) on behalf of the card issuer. The legitimate interest is providing accurate delivery predictions that enable card issuers to communicate meaningfully with cardholders during the delivery window. Because the data Varmo processes is pseudonymous and does not directly identify individuals, the processing activity carries a low risk to data subjects’ rights and freedoms. As the card issuer, you are the data controller. Varmo acts as a data processor on your behalf. This relationship is formalised in a Data Processing Agreement (see below).

Data processor agreement (DPA)

Varmo acts as a data processor under Article 28 GDPR. Before going live in production, you should have a signed DPA in place. The Varmo DPA covers:
  • The subject matter, duration, nature, and purpose of the processing
  • The categories of data and data subjects involved
  • Varmo’s obligations and rights as a processor
  • Sub-processor disclosure and notification obligations
To request a DPA, email privacy@varmo.fi with your organisation name and the email address of your data protection contact.

Data subject rights

Because Varmo holds no directly identifying personal data, most data subject access requests (DSARs) submitted to Varmo in isolation will return no data or pseudonymous records only — a dispatch UUID tied to a postal code does not on its own identify a person. If one of your cardholders exercises their rights under Articles 15–22 GDPR and you need Varmo’s cooperation to fulfil the request, Varmo will assist you within 30 days of a written request. Send DSAR cooperation requests to privacy@varmo.fi with the dispatch UUID(s) in scope.

Data transfers

Varmo processes all dispatch data within the EU/EEA. Varmo does not transfer personal data to third countries unless adequate safeguards — such as Standard Contractual Clauses — are in place and disclosed in the DPA. If your organisation’s compliance requirements restrict cross-border data transfers, confirm the processing region with Varmo before going live.

Data retention

Varmo retains dispatch records for 90 days after the expected delivery window for that dispatch closes. Records are deleted automatically at the end of that period. No manual intervention is required on your part, and deleted records cannot be recovered. If you need to retain dispatch records for your own compliance obligations, export them to your systems before the 90-day window expires.
To request a DPA, ask a data protection question, or submit a DSAR cooperation request, email privacy@varmo.fi. Include your organisation name and a description of your request.