Privacy Policy

Updated 10 February 2026 | Effective from 10 February 2026

1. Data Controller

Nopea Labs Oy
Business ID: (to be provided upon registration)
Email: admin@suoja.ai

2. Contact Person for Data Protection Matters

For questions regarding data protection, please contact us at admin@suoja.ai.

3. Name of the Register

suoja.ai service customer register.

4. Purpose and Legal Basis of Personal Data Processing

4.1 Purposes of Processing

• Providing and maintaining the service (AI assistant, email, calendar, web search)
• Order and billing management
• Customer support and communication
• Service development and bug fixing
• Compliance with legal obligations

4.2 Legal Bases

• Contract (GDPR Art. 6(1)(b)): Processing of personal data is necessary for the performance of the service agreement.
• Legitimate interest (GDPR Art. 6(1)(f)): Technical maintenance of the service, information security, and prevention of misuse.
• Legal obligation (GDPR Art. 6(1)(c)): Obligations under the Finnish Accounting Act.

5. Personal Data Collected

5.1 Data Collected During Registration

• Name
• Email address
• Company name (optional)

5.2 Payment Information

Payment card information is processed by Stripe, Inc. (PCI DSS-certified payment service provider). We do not store payment card details in our own systems. We only retain Stripe customer and subscription identifiers for billing management purposes.

5.3 Data Generated Through Service Use

• AI assistant conversation history (stored in the customer's own isolated environment)
• Email and calendar content (stored in the customer's own environment)
• Technical log data (IP address, request timestamps, error messages)
• LLM usage volumes for billing and budget monitoring purposes

6. Data Retention and Location

6.1 Storage Locations

• Google Cloud Platform (europe-north1, Hamina, Finland): AI environments, conversation history, email and calendar data, technical log data.
• Supabase (EU region, Ireland): Customer register, order management, system logs.
• Stripe, Inc. (EU region servers): Payment and billing data.

6.2 Retention Periods

• Customer data: For the duration of the contractual relationship and 6 months after its termination, unless a legal obligation requires a longer retention period.
• Conversation history: Under the customer's control. Deleted when the customer relationship ends and the customer requests deletion, or within 30 days of the relationship ending at the latest.
• Billing data: 6 years in accordance with the Finnish Accounting Act.
• Technical logs: 90 days.

7. Data Transfers and Disclosures

7.1 Subprocessors and Third Parties

• Google Cloud Platform / Vertex AI — Infrastructure and LLM models. AI query content is sent to Google Vertex AI for processing. Google does not use customer data for model training under the Vertex AI terms of service.
  Location: EU (europe-north1, europe-west1).
• Stripe, Inc. — Payment processing. Stripe is PCI DSS Level 1 certified.
  Location: EU region servers; company domiciled in the United States (EU Standard Contractual Clauses).
• Supabase, Inc. — Database and authentication services.
  Location: EU (Ireland); company domiciled in the United States (EU Standard Contractual Clauses).
• Amazon Web Services (SES) — Email delivery.
  Location: EU (Ireland, eu-west-1).

7.2 Data Transfers Outside the EU

We do not transfer personal data outside the EU/EEA without appropriate safeguards. We use EU Standard Contractual Clauses (SCCs) or equivalent GDPR-compliant safeguards with our subprocessors.

7.3 Other Disclosures

We do not sell, rent, or otherwise disclose your personal data to third parties for marketing purposes. Data may be disclosed to authorities when required by law.

8. Data Subject Rights

You have the following rights under the GDPR:

• Right of access (Art. 15): You may request a copy of the personal data we process about you.
• Right to rectification (Art. 16): You may request the correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): You may request the deletion of your personal data, unless there is a legal basis for continued processing.
• Right to restriction of processing (Art. 18): You may request the restriction of processing in certain circumstances.
• Right to data portability (Art. 20): You may request your data in a machine-readable format.
• Right to object (Art. 21): You may object to the processing of your data based on legitimate interest.

You may exercise your rights by sending a request to admin@suoja.ai. We will respond to requests within 30 days.

If you believe that the processing of your personal data violates data protection legislation, you have the right to lodge a complaint with the supervisory authority:

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Lintulahdenkuja 4, 00530 Helsinki, Finland
Phone: +358 29 566 6700
Email: tietosuoja(at)om.fi
Website: tietosuoja.fi

9. Cookies

The suoja.ai website uses only strictly necessary technical cookies to ensure the functioning of the service (session cookies). We do not use analytics, advertising, or tracking cookies. No third-party cookies are loaded.

10. Information Security

We protect personal data with the following measures:

• All traffic is TLS-encrypted (HTTPS).
• Each customer operates in their own isolated Docker container, with their own network and keys.
• Servers are located in Google Cloud's data centre in Finland, with restricted access.
• Passwords and keys are stored in GCP Secret Manager or Stripe's secure environment.
• Regular security updates and audits.

11. Changes to This Privacy Policy

We reserve the right to update this privacy policy. Material changes will be communicated via email and/or the service interface. The updated version is always available on this page.

12. Contact Information

For all questions regarding data protection, please contact:
Nopea Labs Oy
Email: admin@suoja.ai