Can AinaOpen cabinets sell alcohol and tobacco unattended?

Yes. AinaOpen has built-in ID & Age Verification using regulated EU electronic identification (eIDAS) providers, allowing legal unattended sale of alcohol, tobacco, vapes, energy drinks, lottery tickets and other age-restricted products.

How does the age verification work?

Customers tap their bank card to start a session. If identity is unknown, a QR code launches an electronic identification flow (bank ID, MitID, FranceConnect, Itsme and other eIDAS-trusted schemes via Scrive eID Hub). The cabinet only receives a cryptographically signed confirmation that the customer meets the legal age limit.

Is verification required on every visit?

No. AinaOpen securely remembers verified buyers linked to their payment-card identifier for up to 30 days, so returning customers can shop without re-verifying.

How much does an AinaOpen smart cabinet cost?

AinaOpen smart cabinets start from €2,750 with a €39.90/month SaaS fee — the lowest investment cost on the market for AI-powered unattended retail.

Back to home

Privacy Policy

Last updated: 29 April 2026

AinaOpen Oy (“AinaOpen”, “we”, “us”, “our”) operates the website ainaopen.com and provides AI-powered smart vending machines and the related management platform. We respect your privacy and are committed to protecting your personal data in accordance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and applicable national data protection laws.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it and what rights you have. It applies to visitors of our website, prospective customers using our contact and order forms, and end users of AinaOpen vending machines.

1. Data Controller

AinaOpen Oy, Finland — contact: privacy@ainaopen.com.

For data subject requests please email privacy@ainaopen.com.

2. Personal Data We Collect

We process the following categories of personal data:

Identification and contact data: name, company, email address, phone number, country/region.
Order and enquiry data: cabinet model, quantity, location, free-text notes, locale.
Payment-card identifier (tokenised) and a deposit reservation when you use a vending machine.
Age verification result obtained via strong customer authentication (for example TUPAS bank credentials), in compliance with PSD2/SCA.
Technical data: IP address, browser type, device identifiers, pages viewed, referring URL, session timestamps.
Cookie and analytics data: see our Cookies section below.
Camera surveillance recordings of vending machine premises (operated by the venue owner / our customer).

3. Purposes and Legal Basis

We process personal data for the following purposes and on the following legal bases (Art. 6 GDPR):

Responding to enquiries and processing order requests — performance of a contract or pre-contractual measures (Art. 6(1)(b)).
Operating vending machines, charging purchases and preventing fraud — performance of a contract and our legitimate interests (Art. 6(1)(b), (f)).
Age verification for age-restricted products — compliance with a legal obligation (Art. 6(1)(c)) and your consent where required.
Storing the age-verification status linked to a payment-card identifier for 30 days — legitimate interest in providing a smooth customer experience (Art. 6(1)(f)).
Website analytics and product improvement — your consent for non-essential cookies (Art. 6(1)(a)).
Compliance with accounting, tax and consumer-protection laws — legal obligation (Art. 6(1)(c)).

4. Cookies and Analytics

Our website uses strictly necessary cookies to operate, and — with your consent — Google Analytics 4 (measurement ID G-2ZKS1436ME) to understand aggregated usage. IP addresses are anonymised. You can withdraw or change your cookie consent at any time using the “Change cookies” link in the footer.

5. Recipients and International Transfers

We share personal data only with vetted processors acting on our behalf: Microsoft Azure (hosting; EU regions), Microsoft Graph (transactional email), payment service providers and authentication providers, and Google (analytics). Where data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses and additional safeguards as required by Chapter V GDPR.

6. Retention Periods

Contact and order enquiries: up to 24 months from last contact.
Age-verification token linked to a payment card: 30 days.
Transaction records: 6 years (statutory accounting period in Finland).
Camera surveillance recordings: typically 14–30 days, as set by the venue operator.
Website analytics: anonymised event data retained up to 14 months.

7. Your Rights

Subject to the conditions of the GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, the right to data portability and the right to withdraw consent at any time. To exercise these rights please contact privacy@ainaopen.com. You also have the right to lodge a complaint with your local supervisory authority (in Finland: Office of the Data Protection Ombudsman, tietosuoja.fi).

8. Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction, including encryption in transit and at rest, role-based access control and continuous monitoring.

9. Changes to this Policy

We may update this Privacy Policy from time to time. The latest version is always available at ainaopen.com/privacy/. Material changes will be communicated through the website.

Questions about this Privacy Policy? Contact us at privacy@ainaopen.com.