Privacy Policy

1. Privacy at a Glance

We believe legal tools should be transparent. Here is the summary of how we handle your data:

• Your Data is Yours: We process your estate data solely to generate your probate documents. We do not sell your data.
• Security First: All sensitive data (like SSNs) is encrypted at rest using industry-standard AES-256 encryption.
• AI Privacy: Our AI Assistant uses Google Vertex AI (EU-based). Your private estate data is processed to provide the assistant service but is NOT used to train foundation AI models.
• GDPR Compliance: We are a Finnish company and store your data within the EU (AWS Frankfurt).
• Control: You can delete your case or your entire account at any time.

2. Data Controller

3. What Data We Collect & Why

We collect data to provide the 'Smart Form Wizard' and AI Assistant services:

4. Purposes and Legal Bases

We process personal data for the following purposes:

1. Account creation, login, and security controls
   Legal basis: Contract performance; legitimate interests (security and fraud prevention).
2. Delivering the probate workflow service and storing case data
   Legal basis: Contract performance.
3. Sending transactional emails (verification, password reset)
   Legal basis: Contract performance; legitimate interests (account security).
4. AI assistant functionality and chat history
   Legal basis: Contract performance.
5. Abuse prevention, rate limiting, and security monitoring
   Legal basis: Legitimate interests; consent for analytics where required by law.
6. Legal compliance and recordkeeping
   Legal basis: Legal obligation and legitimate interests.

5. Data Sources

• Directly from users through forms and chat interactions.
• Automatically from device metadata during service use.

6. Third-Party Processors

We use trusted partners to help us run the service. All are bound by Data Processing Agreements (DPAs):

• Amazon Web Services (AWS): Hosting & Infrastructure (EU Frankfurt)
• Google Cloud (Vertex AI): AI Processing (EU)
• PostHog: Product Analytics (EU - Opt-in only)
• Resend: Transactional Emails (Global)
• Better Auth: Authentication (Self-hosted on AWS EU)
• CookieYes: Consent Management (Global)

AI Data Guarantee: Under our enterprise agreement, your chat data is NOT used by Google to train their public AI models.

7. International Transfers

We prioritize EU-based processing. Our core infrastructure (AWS) is located in Frankfurt, Germany. Where data is processed outside the EEA (e.g., via sub-processors), we rely on GDPR-compliant safeguards such as Standard Contractual Clauses (SCCs).

8. Data Retention

We don't keep your data longer than necessary:

• Active Accounts: Data is kept while the account is active.
• Inactivity: After 2 years of inactivity, we will notify you and delete the account if no action is taken.
• User Deletion: If you delete a Case or Account, data is removed from active systems within 30 days.
• Backups: May persist in encrypted backups for up to 90 days.

9. Data Subject Rights

Under GDPR, you have the right to:

• Access your personal data
• Request rectification of inaccurate data
• Request erasure ('Right to be Forgotten')
• Request data portability
• Object to or restrict processing

To exercise these rights, email tuki@perukirja.io. You also have the right to lodge a complaint with a supervisory authority.

10. Security Measures

We protect your data using:

• Encryption in Transit (TLS 1.3)
• Encryption at Rest (AES-256)
• Logical Data Isolation
• Regular Security Audits

While no system is 100% secure, we continuously improve our safeguards.

11. Children

The service is not intended for children. Users must have the authority to submit data related to estate processes.

12. Policy Changes

We may update this policy. Material changes will be communicated via email or a prominent notice in the app.

13. Contact