Legal

Privacy Policy

Last updated 2026-06-09. This policy describes how perukirja.io collects, uses, and protects your personal data in compliance with GDPR and Finnish data protection law.

1. Privacy at a Glance

We believe legal tools should be transparent. Here is the summary of how we handle your data:

• Your Data is Yours: We use your account and estate data to provide the service, generate probate documents, process payments, and support your use of the service. We do not sell personal data.
• Security First: All data, including personal identity codes, is encrypted at rest by our database and storage infrastructure using AES-256.
• AI Privacy: Our AI Assistant uses Google Vertex AI. Your private estate data is processed to provide the assistant service but is not used to train or fine-tune AI models without permission.
• Infrastructure: Application hosting is configured in the AWS Frankfurt region. Some service providers may process limited data outside the EEA as described below.
• Control: Settings includes self-service Export your data and Delete account controls. You can download a JSON copy of application-held account and case records or request account deletion. Legal retention duties, provider restore history, and service-provider records may limit immediate or complete erasure.

2. Data Controller

Regulus Holding Oy
Business ID: 3424114-4
Konkelonkatu 24
33870 Tampere, Finland

Email: tuki@perukirja.io
Phone: +358 50 593 4915

For privacy questions or to exercise your rights, contact tuki@perukirja.io.

3. What Data We Collect & Why

We process the following categories of data to provide and operate the service:

3.1 Account & Authentication

  • Name, email address, preferred language, and profile image
  • Password hash or linked OAuth account identifiers
  • IP address, user agent, sessions, and security metadata
  • Terms acceptance, marketing consent, and email preferences

3.2 Estate & Probate Data (Sensitive)

  • Deceased person's details, including name, personal identity code, and date of death
  • Estate shareholder and heir details, including names, personal identity codes, and contact information
  • Assets, debts, spouse information, form responses, notes, document checks, and workflow progress
  • Other information you enter for preparing the estate inventory deed

3.3 AI Assistant Interactions

  • User chat prompts
  • Assistant replies
  • Metadata (model identifier, token usage)

3.4 Usage & Analytics

  • Feature usage, page views, and workflow events
  • Technical, security, rate-limit, device, browser, and attribution metadata
  • Cookie and advertising consent choices
  • Limited page and attribution events sent with in-memory browser persistence before a cookie choice
  • Operational events sent from the server, including registration, email, payment, workflow, and account-deletion events

3.5 Payments & Communications

  • Payment status, transaction identifiers, payment method, amounts, VAT, invoice and refund details
  • Payer name and email address, service description, and payment callback records
  • Transactional email delivery logs and communication preferences

4. Purposes and Legal Bases

We process personal data for the following purposes:

  1. Account creation, login, and security controls
    Legal basis: Contract performance; legitimate interests (security and fraud prevention).
  2. Delivering the probate workflow, storing case data, and providing self-service export and deletion controls
    Legal basis: Contract performance.
  3. Sending transactional and service emails, including verification, password reset, deadline, payment, and deletion messages
    Legal basis: Contract performance; legitimate interests (account security and service communications).
  4. AI assistant functionality and chat history
    Legal basis: Contract performance.
  5. Product analytics, advertising measurement, abuse prevention, rate limiting, and operational monitoring
    Legal basis: Before your cookie choice, we process limited attribution and server-side operational, security, and service-reliability events based on legitimate interests. Persistent browser analytics and advertising are based on your consent where the law requires it.
  6. Processing payments, refunds, accounting records, and legal requests
    Legal basis: Contract performance; legal obligation; legitimate interests in financial administration and legal compliance.

5. Data Sources

  • Directly from you through registration, settings, forms, chats, and support interactions.
  • From other users who enter information about an estate, deceased person, heir, shareholder, or spouse.
  • Automatically from your browser, device, and use of the service.
  • From authentication, payment, email, analytics, consent-management, and advertising providers when they deliver their services.

6. Service Providers and Recipients

We use the following service providers and recipients to operate the service:

  • Amazon Web Services (AWS): Application hosting, file storage, and content delivery (EU Frankfurt)
  • Neon: PostgreSQL database hosting (AWS Europe Central 1, Frankfurt)
  • Google Cloud (Vertex AI): AI processing
  • PostHog: Product and operational analytics through the configured EU endpoint; a CookieYes decision controls browser persistence and subsequent capture, while limited pre-decision in-memory events and server-side events may also be processed
  • Resend: Transactional email delivery
  • Paytrail: Payment processing, refunds, and payment-status callbacks
  • Google OAuth: Optional Google account sign-in
  • CookieYes: Cookie and consent management
  • Google Ads: Consent-controlled conversion measurement and remarketing

Google Cloud's Vertex AI terms state that customer data is not used to train or fine-tune AI models without the customer's prior permission or instruction.

7. International Transfers

Application hosting is configured in Frankfurt, Germany. Email, authentication, database, AI, consent-management, advertising, and provider subprocessor operations may involve processing outside the EEA. Where processing takes place outside the EEA, transfers are based on European Commission adequacy decisions (including the EU-US Data Privacy Framework) or the Commission's Standard Contractual Clauses. You can obtain a copy of the applicable safeguards by contacting us.

8. Data Retention

We don't keep your data longer than necessary:

  • Active Accounts: Account, estate, chat, preference, and communication-log data is generally kept while your account remains active and as needed to provide the service.
  • Case Deletion: Unpaid cases can be deleted from the case dashboard. Paid cases cannot be deleted separately because their payment record must remain consistent; you can use Delete account in Settings or contact support.
  • Account Deletion: You request deletion through the self-service Delete account control in Settings and confirm it through a link sent to your email. When confirmed, the active user account, authentication records, cases, estate data, chats, preferences, and application email logs are deleted. Short-lived security rate-limit records, which may contain an IP address or pseudonymous account identifier, are deleted after at most seven days. De-identified security audit events may remain after account links are removed.
  • Payment and Accounting Records: Records required by Finnish bookkeeping and payment obligations are retained for at least six years after the end of the relevant financial year. They may include payer name and email, transaction identifiers, amount, VAT, dates, refund information, and a service description. Account and case foreign-key links are removed when the account is deleted.
  • Provider Restore History: Deleted database content may remain temporarily in encrypted provider backup or point-in-time restore history until the configured recovery window expires. It is retained for disaster recovery and is not used as active application data.
  • Service-Provider Records: Payment, email, consent, advertising, security, and analytics providers may retain records under their own lawful retention periods. Self-service account deletion does not automatically erase every provider-held record; contact us to exercise rights concerning those records.

9. Data Subject Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Request rectification of inaccurate data
  • Request erasure ('Right to be Forgotten')
  • Request data portability
  • Object to or restrict processing
  • Withdraw your consent at any time (via the cookie settings or by contacting us), without affecting the lawfulness of processing carried out before withdrawal

The self-service Export your data control in Settings downloads a JSON copy of account and case records held in the application database. Delete account starts an email-confirmed account-deletion flow. The export excludes password hashes, OAuth and session tokens, account ban status and admin notes, and records held only by service providers. For a broader access request, rectification, restriction, objection, portability request, or deletion request concerning service-provider records, email tuki@perukirja.io. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman or another competent supervisory authority.

10. Security Measures

We protect your data using:

  • Encryption in Transit (TLS 1.3)
  • Encryption at Rest (AES-256)
  • Account protection: password hashing, sign-in rate limiting, and optional passkey or two-step verification
  • Logical Data Isolation
  • Regular security reviews as part of our development process

While no system is 100% secure, we continuously improve our safeguards.

11. Children

The service is not intended for children. Users must have the authority to submit data related to estate processes. Estates may, however, include minor heirs, whose details are processed as part of the estate data with the same safeguards as other sensitive data.

12. Policy Changes

We may update this policy. Material changes will be communicated via email or a prominent notice in the app.

13. Contact

Regulus Holding Oy
Konkelonkatu 24
33870 Tampere, Finland

Email: tuki@perukirja.io
Phone: +358 50 593 4915