Privacy Policy

1. Data Controller

The controller of your personal data is:

For any privacy-related request (access, correction, deletion, portability, objection) please contact info@tulostan.fi.

2. Personal Data We Collect

• Contact and account data: name, email address, phone number, password hash.
• Delivery data: shipping address, recipient name, delivery preferences.
• Order data: uploaded STL/CAD files, order specifications, order history, invoices.
• Payment metadata: transaction ID, paid amount, payment status. Full card numbers are never stored by us.
• Technical data: IP address, browser and device information, authentication events, security and audit logs.

3. Purposes and Legal Bases for Processing

• Order fulfillment and customer service — performance of a contract (GDPR Art. 6(1)(b)).
• Account management and authentication — performance of a contract and our legitimate interest in secure access (Art. 6(1)(b) and (f)).
• Accounting, invoicing and tax obligations — compliance with legal obligations (Art. 6(1)(c); Finnish Accounting Act requires retention of records).
• Fraud prevention, security, diagnostics — legitimate interest in protecting the service and its users (Art. 6(1)(f)).
• Service communications — legitimate interest and, where required, consent (Art. 6(1)(a) and (f)).

4. Recipients and Processors

We share personal data only with processors that help us operate the service. These currently include:

• Stripe — payment processing (stripe.com).
• Supabase — authentication, database and file storage (supabase.com).
• Hosting and email providers used for website hosting and transactional email.
• Logistics carriers such as Posti or the courier chosen at checkout, for delivery only.

All processors act on our documented instructions under a data processing agreement. We do not sell your personal data.

5. International Data Transfers

Some of our processors (for example Stripe and Supabase) may process data outside the European Economic Area, including in the United States. Where personal data is transferred outside the EEA, we rely on safeguards recognized under GDPR, such as the European Commission’s Standard Contractual Clauses or an adequacy decision where applicable.

6. Cookies and Similar Technologies

We use strictly necessary cookies and local storage to keep you signed in and to remember order context (for example the uploaded STL during checkout). These are required for the service to function and do not require consent. We do not currently use third-party advertising or profiling cookies. Any future use of non-essential analytics or marketing cookies will be based on your prior consent.

7. Retention

• Account data — while the account is active and up to 12 months after closure.
• Order and invoicing data — at least six (6) years from the end of the accounting period, as required by the Finnish Accounting Act.
• Uploaded files — deleted or anonymized once the order is fulfilled and the statutory warranty period has passed, unless you delete them earlier.
• Security and audit logs — typically up to 12 months unless a longer period is needed for investigation of an incident.

8. Your Rights

Under the GDPR you have the right to access, rectification, erasure, restriction of processing, data portability, and objection to processing based on legitimate interest. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, tietosuoja.fi) or the supervisory authority of your country of residence.

9. Security

We use technical and organizational safeguards including authenticated access, transport encryption (HTTPS/TLS), secret management, principle of least privilege, and event and audit logging. Despite these measures, no online service can guarantee absolute security.

10. Automated Decisions and Profiling

We do not make decisions with significant legal or similar effects based solely on automated processing or profiling.

11. Changes to This Policy

We may update this policy as the service evolves or legal requirements change. The “last updated” date at the top will reflect the latest version. Material changes will be communicated in a reasonable manner before they take effect.