Privacy Policy

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

The personal information we collect may include:

• Name and email address
• Account credentials (email and password — passwords are stored in hashed form and never in plain text)
• Billing information processed by Stripe (we do not store full card details ourselves)
• Any information you choose to provide when contacting us

Sensitive Information: We do not process sensitive information.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your IP address and browser characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, including:

• To facilitate account creation and authentication
• To deliver and manage our Services
• To process payments via Stripe
• To send transactional emails (e.g., account confirmations, notifications) via Resend
• To respond to your inquiries and provide customer support
• To detect, prevent, and address technical issues or fraud
• To comply with legal obligations

In Short: We may share information in specific situations and with the following third parties.

We use the following third-party service providers that may process your personal data:

• Resend — used to send transactional emails. Your email address is shared with Resend for this purpose.
• Stripe — used to process payments. Stripe handles payment card data directly; we do not store your full card details. Stripe's privacy policy applies to data they collect.

We may also share your personal information in the following situations:

• Business Transfers: We may share or transfer your information in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business.
• Affiliates: We may share your information with our affiliates, who are required to honor this Privacy Notice.
• Legal Requirements: We may disclose your information where required to do so by law or in response to valid requests by public authorities.

In Short: We use only essential cookies necessary for the operation of our Services.

We may use session cookies or similar technologies strictly necessary to operate the Services (for example, to keep you logged in). We do not use advertising cookies, third-party analytics cookies, or tracking pixels. If you have questions about our cookie practices, please contact us directly.

In Short: We use email and password authentication only. Passwords are never stored in plain text.

Our Services use email and password to authenticate users. Passwords are hashed using industry-standard methods before storage. We do not offer or use third-party social media logins.

In Short: Your information is stored on EU-based servers and may be processed by our third-party providers in other countries.

Our servers are located within the European Union. If you are accessing our Services from outside the EU, please be aware that your information may be transferred to, stored by, and processed by us in the EU.

Please note that our third-party providers (Resend, Stripe) may process your data outside the EEA. Where this occurs, we ensure appropriate safeguards are in place in accordance with applicable data protection law, including the use of Standard Contractual Clauses where required.

In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information.

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at info@kartal.fi.

In Short: As a resident of Finland and the EEA, you have rights under the General Data Protection Regulation (GDPR), including rights to access, rectify, erase, or restrict processing of your personal data.

Your rights include:

• The right to access the personal data we hold about you
• The right to correct inaccurate personal data
• The right to request erasure of your personal data
• The right to restrict or object to processing
• The right to data portability
• The right to withdraw consent at any time, where processing is based on consent

To exercise any of these rights, please contact us at info@kartal.fi. We will respond to your request within the timeframes required by applicable law (generally within 30 days).

You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) at tietosuoja.fi if you believe your rights have been violated.

Most web browsers and some mobile operating systems include a Do-Not-Track ("DNT") feature. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow in the future, we will update this Privacy Notice accordingly.

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated date at the top of this Privacy Notice. If we make material changes, we may notify you either by posting a prominent notice or by sending you a direct notification. We encourage you to review this Privacy Notice periodically.

If you have questions or comments about this notice, you may contact us by email at:

Kartal Solutions Oy info@kartal.fi

Based on applicable laws, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information.

To request to review, update, or delete your personal information, please contact us at info@kartal.fi. We will handle your request in accordance with applicable data protection laws, including the GDPR.