Legal
Last updated: 14 May 2026 · Applies to all users of FinnAdvisor
Contents
The data controller responsible for your personal data is:
For all data protection enquiries — including requests to exercise your rights under GDPR — please contact us at the address above. We aim to respond within 30 days as required by Art. 12(3) GDPR. Where a request is complex or numerous, we may extend this by a further two months and will inform you of any such extension.
We collect only the minimum data necessary to provide authentication and enforce service plan limits (data minimisation principle, Art. 5(1)(c) GDPR). We do not collect names, addresses, phone numbers, or any other identifying information beyond your email address.
| Data item | Why we collect it | Stored where |
|---|---|---|
| Email address | Magic-link authentication; account identification | Upstash Redis (EU region) |
| Usage count | Tracking analyses used per calendar month for plan enforcement | Upstash Redis (EU region) |
| Session token (fa_session cookie) | Keeping you logged in; identifying your session | Your browser (HttpOnly cookie) |
| Subscription status | Determining which plan features are available to you | Upstash Redis (EU region) |
We process your personal data only for specified, explicit, and legitimate purposes (Art. 5(1)(b) GDPR). The table below maps each processing activity to its legal basis under Art. 6 GDPR.
| Processing activity | Legal basis | Detail |
|---|---|---|
| Authentication — sending magic-link emails; validating session tokens | Art. 6(1)(b) — contract performance | Necessary to provide the service you requested by creating an account. |
| Plan enforcement — storing usage counters and subscription status | Art. 6(1)(b) — contract performance | Necessary to enforce the monthly analysis limits of your chosen plan. |
| Payment processing — passing your email to Stripe on checkout | Art. 6(1)(b) — contract performance | Required to create a Stripe subscription linked to your account. |
| Analytics — aggregate page-view and session statistics via Google Analytics | Art. 6(1)(f) — legitimate interests | We have a legitimate interest in understanding how users interact with the service to improve it. This interest is not overridden by your interests given that analytics data is aggregated and not used for profiling. You may opt out at any time (see §10). |
Where we rely on legitimate interests (Art. 6(1)(f)), you have the right to object to that processing at any time (see §11).
The case descriptions you voluntarily submit for AI analysis may contain information that constitutes "special category data" under Art. 9 GDPR — for example, details relating to your health, religion, ethnicity, or immigration status. Such information is submitted entirely at your own discretion.
The legal basis for processing any special category data you voluntarily include in a case submission is Art. 9(2)(a) GDPR — your explicit consent, given at the point of submission by choosing to include such information. You may omit sensitive details at any time without affecting the usefulness of the analysis for most questions.
Certain decisions about your account are made automatically without human review:
These automated decisions are necessary for the performance of your contract (Art. 22(2)(a) GDPR) and do not produce legal effects or similarly significant effects beyond temporary service restrictions. You have the right to request human review of any access decision you believe is incorrect by contacting support@finnadvisor.fi.
FinnAdvisor is hosted on Vercel (serverless functions and static assets, EU edge network). User account data is stored in Upstash Redis, configured to use the EU (Frankfurt) region to ensure data residency within the European Economic Area.
Email delivery (magic links) is handled by Resend. Resend processes your email address only to transmit the authentication email; no email content or address is retained by Resend beyond delivery.
AI analysis requests are sent to Anthropic's API (United States — see §7 for transfer safeguards). Case text you submit is processed ephemerally; no personally identifiable data is knowingly included in requests to Anthropic, and Anthropic does not use API inputs to train its models.
Some of our processors are located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for each transfer as required by Chapter V GDPR:
| Processor | Country | Transfer safeguard |
|---|---|---|
| Anthropic PBC | United States | Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). Case text only; no account identifiers are transmitted. |
| Google LLC (Analytics) | United States | Standard Contractual Clauses (SCCs) under Google's Data Processing Amendment. Analytics data is aggregated and IP-anonymised. Google DPA. |
| Stripe Inc. | United States | Standard Contractual Clauses and EU–US Data Privacy Framework certification. Stripe Privacy Policy. |
| Resend Inc. | United States | Standard Contractual Clauses. Email addresses processed transiently for delivery only. |
| Vercel Inc. | United States | Standard Contractual Clauses. Static assets and serverless functions; user account data stored in EU-region Upstash only. |
You may request a copy of the relevant SCCs by contacting support@finnadvisor.fi.
We retain personal data only for as long as necessary for the purpose for which it was collected (Art. 5(1)(e) GDPR — storage limitation):
| Data item | Retention period | Basis |
|---|---|---|
| Session data (fa_session cookie) | 30 days from last login | Automatic expiry via Redis TTL |
| Monthly usage counters | 60 days (automatically expired) | Automatic expiry via Redis TTL |
| Email address and account data | Until you request account deletion | Necessary for contract performance |
| Subscription status | Until subscription is cancelled and account deleted | Necessary for contract performance |
| Google Analytics data | 14 months (Google's default retention) | Legitimate interests (aggregate analytics) |
To request deletion of your account and all associated data, email support@finnadvisor.fi with the subject line "Account Deletion Request". We will process the request within 30 days and confirm when completed.
We engage the following sub-processors under data processing agreements consistent with Art. 28 GDPR. Each processor may only process data on our documented instructions:
| Processor | Role | Data shared |
|---|---|---|
| Stripe | Payment processing | Email address and payment details. Governed by Stripe's Privacy Policy. |
| Resend | Transactional email (magic links) | Email address; not retained after delivery. |
| Upstash | Data storage (Redis, EU-Frankfurt region) | Email address, usage counters, session tokens, subscription status. |
| Vercel | Application hosting and serverless functions | Request metadata (IP address may appear in access logs; not retained by FinnAdvisor). |
| Anthropic | AI analysis engine | Case text submitted by the user. No account identifiers are transmitted. Anthropic does not use API inputs to train its models per its API usage policy. |
| Google LLC | Analytics (Google Analytics 4) | Anonymised usage data (page views, session duration, browser type). No identifiers linked to your FinnAdvisor account. Controller: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. |
We do not sell, rent, or trade your personal data to any third party for their own commercial purposes.
We use two categories of cookies:
These cookies are essential for the service to function. They are set automatically upon login and do not require separate consent under Art. 5(3) of the ePrivacy Directive:
| Cookie | Type | Duration | Purpose |
|---|---|---|---|
| fa_session | HttpOnly, Secure, SameSite=Strict, first-party | 30 days | Session authentication — required to keep you logged in. The service cannot function without this cookie. |
We use Google Analytics 4 on our landing page and application to measure aggregate, anonymous usage statistics. These cookies are set only after you consent via the cookie banner shown on your first visit.
| Cookie | Set by | Duration | Purpose |
|---|---|---|---|
| _ga | Google LLC (third-party) | 2 years | Distinguishes users for aggregate analytics. Contains a randomly generated identifier — no personal data. |
| _ga_* | Google LLC (third-party) | 2 years | Persists session state for Google Analytics 4 measurement. |
Legal basis for analytics cookies: Art. 6(1)(a) GDPR — your consent, given via the cookie banner. You may withdraw consent at any time by:
We do not use advertising cookies, retargeting pixels, or any other tracking technology beyond those described above.
As a data subject under GDPR you have the following rights. To exercise any of them, contact us at support@finnadvisor.fi. We will respond within 30 days (Art. 12(3) GDPR) at no charge.
You have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) if you believe we have processed your data unlawfully, without prejudice to any other administrative or judicial remedy:
In addition to lodging a complaint with a supervisory authority, you have the right to an effective judicial remedy under Art. 79 GDPR and §16 of the Finnish Data Protection Act (Tietosuojalaki 1050/2018). You may bring proceedings against us before the competent courts in Finland (where we are established) or in the EU member state where you are habitually resident.
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure (Art. 32 GDPR):
No method of transmission over the internet is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the Finnish Data Protection Ombudsman within 72 hours as required by Art. 33–34 GDPR.
FinnAdvisor is a small-scale service that does not carry out large-scale systematic monitoring of individuals or large-scale processing of special categories of data. Consequently, we are not required to appoint a Data Protection Officer under Art. 37 GDPR and the Finnish Data Protection Act.
All data protection enquiries should be directed to the data controller at support@finnadvisor.fi.
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:
We encourage you to review this policy periodically. Questions? Contact us: support@finnadvisor.fi