Legal

Privacy Policy

Last updated 2026-01-09 · Mikko Finell

Acceptable Use Policy Data Processing Agreement Privacy Policy Subprocessors Terms of Service

Privacy Policy

Last updated: 2026-01-09

This Privacy Policy explains how Mikko Finell (“we”, “us”, “our”) collects and processes personal data when you use our website and our SaaS product (the “Service”).

We are committed to protecting your privacy and handling personal data in compliance with the EU General Data Protection Regulation (GDPR) and applicable local laws.

1. Data controller

The data controller for the processing described in this Privacy Policy is:

Mikko Finell

Fridhemsvägen 1 A, Jakobstad, Finland

3266529-3

Email: [email protected]

If you have any questions about this Privacy Policy or our data practices, you can contact us at [email protected].

If you appoint a Data Protection Officer (DPO), add:

Data Protection Officer: Data Protection Officer

Email: [email protected]

2. Scope – when this policy applies

This Privacy Policy applies to:

  • Visitors of our website
  • Users who create an account and use our SaaS Service
  • Representatives of our business customers

It does not cover how our business customers use the data they upload into the Service. In those cases, our customer is typically the data controller, and we act as their data processor. See Section 10.

3. What data we collect

We only collect data that we need to operate and improve the Service. In particular, we collect the following categories:

3.1 Account and identification data

When you sign up and use the Service, we may collect:

  • Organization / company name (if applicable)
  • Email address
  • Authentication data (hashed passwords or identity provider IDs, depending on login method)

3.2 User-uploaded content

To provide the AI workflow functionality you may upload or input content such as:

  • Documents and files you upload
  • Text prompts, configuration options and other inputs
  • Generated outputs (e.g. reports, summaries)

This content may contain personal data, including data about third parties, depending on what you choose to upload.

3.3 Usage and telemetry data (analytics)

We collect technical and usage data about how you use the Service, for example:

  • Actions taken in the interface (e.g. button clicks, pages visited, workflow runs)
  • Timestamps and basic context related to those actions
  • Device and browser information (e.g. browser type, operating system, approximate general region, IP address)

All analytics data is stored in databases hosted in the EU and is not sent to external analytics or marketing services.

3.4 Cookies and similar technologies

We use a limited number of cookies strictly required to operate the Service, for example:

  • Authentication / session cookies to keep you logged in (e.g. refresh tokens or session IDs)

We do not use cookies for third-party tracking, advertising or external analytics.

For more information, see Section 8 (Cookies).

3.5 Communication and support data

When you contact us (e.g. via email or support forms), we process:

  • Your name and contact details
  • The content of your message and any additional information you choose to provide

We process personal data only when we have a valid legal basis under GDPR. For each purpose, the main legal bases are:

4.1 Providing and operating the Service

  • Creating and managing your account
  • Authenticating you and maintaining sessions
  • Handling uploads, running AI workflows, and delivering generated outputs

Legal basis:

  • Performance of a contract (Article 6(1)(b) GDPR)
  • Our legitimate interests in operating a secure and functional Service (Article 6(1)(f) GDPR)

4.2 Running AI workflows and using third-party AI providers

We process your uploaded content and prompts and transmit them to AI infrastructure providers (e.g. OpenAI, L.L.C.) for the purpose of generating outputs and reports.

Legal basis:

  • Performance of a contract (Article 6(1)(b) GDPR)
  • Our legitimate interest in providing AI-powered functionality (Article 6(1)(f) GDPR)

Where required, we rely on appropriate safeguards for transfers outside the EU (see Section 6).

4.3 Analytics and Service improvement

We collect and analyze usage and telemetry data to:

  • Understand how the Service is used
  • Debug issues and improve performance
  • Plan new features and enhancements

Analytics is performed using our own EU-hosted infrastructure and is not shared with external analytics vendors.

Legal basis:

  • Our legitimate interests in understanding and improving the Service (Article 6(1)(f) GDPR)

You can object to processing based on legitimate interest (see Section 9).

4.4 Communication and support

We use your contact details to:

  • Respond to support requests
  • Send essential service messages (e.g. security alerts, changes to terms or privacy policy, major service incidents)

Legal basis:

  • Performance of a contract (Article 6(1)(b) GDPR)
  • Our legitimate interests in communicating with users (Article 6(1)(f) GDPR)

If you choose to subscribe to optional marketing communications (if you offer them), then:

  • Legal basis: Consent (Article 6(1)(a) GDPR)
  • You can withdraw consent at any time.

We may process data to:

  • Prevent abuse, fraud, and security incidents
  • Comply with legal obligations (e.g. accounting, requests from authorities when lawful)
  • Establish, exercise or defend legal claims

Legal basis:

  • Compliance with legal obligations (Article 6(1)(c) GDPR)
  • Our legitimate interests in protecting our rights and systems (Article 6(1)(f) GDPR)

5. How we share personal data

We do not sell personal data.

We may share personal data with:

  1. Service providers and subprocessors

    • Hosting and infrastructure providers (EU-based)
    • AI infrastructure providers (e.g. OpenAI, L.L.C.)
    • Email service providers (if applicable) These providers only process data on our behalf and under written data processing agreements.

  2. Our business customers When we act as a processor, we may share logs, usage data or outputs with the customer who controls that data, as specified in our contract with them.

  3. Authorities and legal recipients Where we are legally obliged to do so, we may disclose data to public authorities or other third parties.

We maintain an up-to-date list of subprocessors, available at: /legal/subprocessors

6. International data transfers (outside the EU/EEA)

Our infrastructure is hosted in the EU. However, to provide AI functionality, we may transmit uploaded content and prompts to AI providers located outside the EU/EEA, including the United States.

When we do so, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • Additional technical and contractual measures as necessary

We also configure our AI providers so that:

  • Data is not used to train their models or improve their services for others, where such controls are available
  • Data is retained only as necessary to deliver the requested functionality or comply with legal obligations

You can contact us for more information about specific providers and transfer safeguards: [email protected]

7. Data retention

We retain personal data only for as long as necessary for the purposes described in this Policy, or as required by law.

In particular:

  • Account data: kept for as long as your account is active. After account closure, we may retain limited information for a reasonable period for legal, accounting or security purposes.
  • Uploaded content and generated outputs: retained according to your account settings or our internal retention policy, e.g. 90 days after creation or last access, unless you delete them earlier.
  • Usage and telemetry data: retained for up to 12 months in aggregated or pseudonymized form.
  • Support communications: retained for 12 months after the ticket is resolved.

When data is no longer needed, we will delete or irreversibly anonymize it.

8. Cookies and similar technologies

We use cookies strictly necessary for operating the Service, such as:

  • Authentication / session cookies: Purpose: keep you logged in and maintain secure sessions. Type: first-party, essential. Duration: session-based or short-lived refresh token expiry.

We currently do not use:

  • Third-party analytics cookies
  • Marketing or advertising cookies
  • Social media tracking cookies

Because only strictly necessary cookies are used, we do not display a cookie consent banner. If this changes in the future, we will update this Policy and, where required, request your consent before placing non-essential cookies.

9. Your rights under GDPR

As an individual in the EU/EEA, you have the following rights regarding your personal data:

  1. Right of access – to obtain confirmation whether we process your data and receive a copy.
  2. Right to rectification – to have inaccurate or incomplete data corrected.
  3. Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain cases.
  4. Right to restriction of processing – to request limited processing in certain circumstances.
  5. Right to data portability – to receive certain data in a structured, commonly used format or have it transmitted to another controller.
  6. Right to object – to object to processing based on our legitimate interests, including analytics.
  7. Right to withdraw consent – where processing is based on consent, you may withdraw it at any time (this does not affect processing that took place before withdrawal).

You can exercise these rights by contacting us at: [email protected]. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with your local supervisory authority, for example:

Data Protection Ombudsman (Finland) https://tietosuoja.fi/en/home

10. When we act as a data processor

For many business customers, we process data on their behalf. In those cases:

  • The customer is the data controller.
  • We act as a data processor and process personal data according to the data processing agreement (DPA) and their instructions.

If you are an end user of a business customer, please contact that customer (your organization) directly to exercise your data protection rights. We may forward requests we receive to the relevant customer when appropriate.

11. Security

We use appropriate technical and organizational measures to protect personal data, such as:

  • Encryption in transit (TLS) and at rest (where applicable)
  • Access controls and authentication
  • Logging and monitoring of system access and events
  • Regular updates and security patches
  • Internal policies and least-privilege access

No system is completely secure, but we work continuously to protect your information and improve our security practices.

12. Children’s privacy

Our Service is intended for business and professional users and is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected such data, please contact us so we can delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Service or legal requirements.

When we make material changes, we will:

  • Update the “Last updated” date at the top, and
  • Notify you by email or via the Service where appropriate.

We encourage you to review this Policy periodically.