Privacy Policy — FinnAdvisor

Contents

Data Controller
Data We Collect
Purpose and Legal Basis
Storage and Infrastructure
Data Retention
Third-Party Processors
Cookies
Your Rights Under GDPR
Security
Changes to This Policy

GDPR applicability: FinnAdvisor is offered to residents of the European Union. This service is subject to the General Data Protection Regulation (EU) 2016/679. We are committed to processing personal data lawfully, fairly, and transparently.

1. Data Controller

The data controller for FinnAdvisor is:

Name: FinnAdvisor
Privacy contact: privacy@finnadvisor.fi

For all data protection enquiries, including requests to exercise your rights, please contact us at the email address above. We aim to respond within 30 days.

2. Data We Collect

We collect only the minimum data necessary to provide authentication and enforce service plan limits. We do not collect names, addresses, phone numbers, or any sensitive personal data unless you voluntarily include such information in a case description you submit for analysis.

Data item	Why we collect it	Stored where
Email address	Magic-link authentication; account identification	Upstash Redis (EU region)
Usage count	Tracking analyses used per calendar month for plan enforcement	Upstash Redis (EU region)
Session token (fa_session cookie)	Keeping you logged in; identifying your session	Your browser (HttpOnly cookie)
Subscription status	Determining which plan features are available to you	Upstash Redis (EU region)

What we do NOT collect

Passwords — authentication is passwordless (magic link only)
Payment card numbers or banking details — payments are handled entirely by Stripe
Location data or device fingerprints
Case content submitted for AI analysis — analysis requests are processed ephemerally and not stored against your account

3. Purpose and Legal Basis

Authentication

We process your email address to send you a one-time magic link so you can sign in. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) — authentication is necessary to provide you with the service you requested.

Plan enforcement

We store a usage counter linked to your account to enforce the monthly analysis limits of your chosen plan. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Payment processing

If you subscribe to a paid plan, Stripe processes your payment details. We receive only a subscription status flag. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

Service improvement

Aggregated, non-personal usage statistics (e.g., total number of analyses per case type) may be used to improve the service. No individual user is identifiable from these statistics.

4. Storage and Infrastructure

FinnAdvisor is hosted on Vercel (edge functions and static assets). User account data and session data are stored in Upstash Redis, configured to use the EU (Frankfurt) region to ensure data residency within the European Economic Area.

Email delivery (magic links) is handled by Resend. Resend processes your email address only to transmit the authentication email; no email content or address is retained by Resend beyond delivery.

AI analysis requests are sent to Anthropic's API. Case text you submit is processed ephemerally to generate a response; no personally identifiable data is knowingly included in requests to Anthropic.

5. Data Retention

Data item	Retention period
Session data (fa_session cookie)	30 days from last login
Monthly usage counters	60 days (then automatically expired by Redis TTL)
Email address and account data	Until you request account deletion
Subscription status	Until cancelled and account deleted

To request deletion of your account and all associated data, email privacy@finnadvisor.fi with the subject line "Account Deletion Request". We will action the request within 30 days and confirm when completed.

6. Third-Party Processors

We engage the following sub-processors. Each is bound by a data processing agreement consistent with GDPR requirements:

Processor	Role	Data shared
Stripe	Payment processing	Email address, payment details. Governed by Stripe's Privacy Policy.
Resend	Transactional email delivery (magic links)	Email address and link only; not retained after delivery.
Upstash	Data storage (Redis, EU region)	Email address, usage counters, session tokens.
Vercel	Application hosting and edge functions	Request metadata (IP address may appear in Vercel access logs; not stored by FinnAdvisor).
Anthropic	AI analysis engine	Case text submitted by the user. No personal identifiers are deliberately included. Anthropic's API is used subject to their terms; no case text is used to train Anthropic models via the API.

We do not sell, rent, or trade your personal data to any third party.

7. Cookies

FinnAdvisor uses a single first-party cookie required for the service to function:

Cookie	Type	Duration	Purpose
fa_session	HttpOnly, Secure, SameSite=Strict	30 days	Session authentication — required to keep you logged in. Without this cookie the service cannot function.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because the sole cookie is strictly necessary for the service to operate, it is set automatically upon login without requiring separate consent under ePrivacy rules. You may delete this cookie at any time via your browser settings, which will sign you out.

8. Your Rights Under GDPR

As a data subject under GDPR you have the following rights. To exercise any of them, contact us at privacy@finnadvisor.fi. We will respond within 30 days.

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data where there is no overriding legitimate reason for us to continue processing it.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format and transfer it to another controller.
Right to object (Art. 21): Object to processing based on legitimate interests.
Right to lodge a complaint: You have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu) at tietosuoja.fi if you believe we have processed your data unlawfully.

9. Security

We implement appropriate technical and organisational measures to protect your personal data:

All data in transit is encrypted via HTTPS (TLS 1.2+).
Session cookies are set with the HttpOnly and Secure flags to prevent client-side access.
Passwords are never stored — authentication is exclusively via time-limited magic links.
Access to Upstash Redis is restricted by secret credentials held only in server-side environment variables.
Redis keys are automatically expired using TTL, minimising the volume of data retained at any time.

No method of transmission over the internet or electronic storage is 100% secure. In the event of a personal data breach that is likely to result in high risk to your rights, we will notify you and the relevant supervisory authority as required by Art. 33–34 GDPR.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email. Continued use of the service after a policy update constitutes acceptance of the revised terms.

Questions about this policy? Contact us: privacy@finnadvisor.fi